PH Scalance-S615-Wbm 76 PDF

___________________
Preface
1
___________________
Description
SIMATIC NET
___________________
Security recommendation 2
___________________
Technical basics 3
Industrial Ethernet Security
SCALANCE S615 Configuring with Web Based
___________________
Management 4
Web Based Management
___________________
Upkeep and maintenance 5
Configuration Manual
___________________
Appendix A A
01/2019
C79000-G8976-C388-07
Legal information
Warning notice system
This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent
damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert
symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are
graded according to the degree of danger.
DANGER
indicates that death or severe personal injury will result if proper precautions are not taken.
WARNING
indicates that death or severe personal injury may result if proper precautions are not taken.
CAUTION
indicates that minor personal injury can result if proper precautions are not taken.
NOTICE
indicates that property damage can result if proper precautions are not taken.
If more than one degree of danger is present, the warning notice representing the highest degree of danger will
be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to
property damage.
Qualified Personnel
The product/system described in this documentation may be operated only by personnel qualified for the specific
task in accordance with the relevant documentation, in particular its warning notices and safety instructions.
Qualified personnel are those who, based on their training and experience, are capable of identifying risks and
avoiding potential hazards when working with these products/systems.
Proper use of Siemens products
Note the following:
WARNING
Siemens products may only be used for the applications described in the catalog and in the relevant technical
documentation. If products and components from other manufacturers are used, these must be recommended
or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and
maintenance are required to ensure that the products operate safely and without any problems. The permissible
ambient conditions must be complied with. The information in the relevant documentation must be observed.
Trademarks
All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication
may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.
Disclaimer of Liability
We have reviewed the contents of this publication to ensure consistency with the hardware and software
described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the
information in this publication is reviewed regularly and any necessary corrections are included in subsequent
editions.
Siemens AG Document order number: C79000-G8976-C388 Copyright © Siemens AG 2015 - 2019.

Division Process Industries and Drives Ⓟ 01/2019 Subject to change All rights reserved
Postfach 48 48
90026 NÜRNBERG
GERMANY
Preface
Scope of the manual

This Configuration Manual covers the following product:
● SCALANCE S615
This Configuration Manual applies to the following software version:
● SCALANCE S615 firmware as of version V6.1
Purpose of the Configuration Manual

This Configuration Manual is intended to provide you with the information you require to
install, commission and operate the device. It provides you with the information you require
to configure the devices.
Orientation in the documentation

Apart from the Configuration Manual you are currently reading, the following documentation
is also available on the topic of remote network:
● Configuration Manual: SCALANCE S615 Command Line Interface
This document contains the CLI commands supported by SCALANCE S615 devices.
● Getting Started
Based on examples, this document explains the configuration of the SCALANCE M800/S
615 device.
● Operating Instructions SCALANCE S615
You will find this document on the Internet pages of Siemens Industry Online Support. It
contains information on installation, connecting up and approvals of the SCALANCE
S615.
● Operating Instructions SINEMA RC Server
You will find this document on the Internet pages of Siemens Industry Online Support. It
contains information on the installation, configuration and operation of the application
SINEMA Remote Connect Server.
● IP-based remote networks
In this document, the possible configurations of an IP-based remote network are
explained in an overview with the requirements and a link to detailed configuration
instructions.
You will find this document on the Internet under the following entry ID: 26662448
(https://support.industry.siemens.com/cs/ww/en/view/26662448)
SCALANCE S615 Web Based Management

Configuration Manual, 01/2019, C79000-G8976-C388-07 3
Preface
SIMATIC NET manuals

You will find SIMATIC NET manuals on the Internet pages of Siemens Industry Online
Support:
● Using the search function:
Link to Siemens Industry Online Support
(http://support.automation.siemens.com/WW/view/en)
Enter the entry ID of the relevant manual as the search term.
● In the navigation panel on the left-hand side in the "Industrial Communication" area:
Link to the "Industrial Communication" area
(http://support.automation.siemens.com/WW/view/en/10805878/130000)
Go to the required product group and make the following settings:
"Entry list" tab, Entry type "Manual"
You will find the documentation for the SIMATIC NET products relevant here on the data
storage medium that ships with some products:
● Product CD / product DVD
● SIMATIC NET Manual Collection
Training, Service & Support

You will find information on Training, Service & Support in the multi--language document
"DC_support_99.pdf" on the data medium supplied with the documentation.
SIMATIC NET glossary

Explanations of many of the specialist terms used in this documentation can be found in the
SIMATIC NET glossary.
You will find the SIMATIC NET glossary here:
● SIMATIC NET Manual Collection or product DVD
The DVD ships with certain SIMATIC NET products.
● On the Internet under the following address:
50305045 (https://support.industry.siemens.com/cs/ww/en/view/50305045)

4 Configuration Manual, 01/2019, C79000-G8976-C388-07
Preface
Security information
Siemens provides products and solutions with industrial security functions that support the
secure operation of plants, systems, machines and networks.
In order to protect plants, systems, machines and networks against cyber threats, it is
necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial
security concept. Siemens’ products and solutions constitute one element of such a concept.
Customers are responsible for preventing unauthorized access to their plants, systems,
machines and networks. Such systems, machines and components should only be
connected to an enterprise network or the internet if and to the extent such a connection is
necessary and only when appropriate security measures (e.g. firewalls and/or network
segmentation) are in place.
For additional information on industrial security measures that may be implemented, please
visit https://www.siemens.com/industrialsecurity.
Siemens’ products and solutions undergo continuous development to make them more
secure. Siemens strongly recommends that product updates are applied as soon as they are
available and that the latest product versions are used. Use of product versions that are no
longer supported, and failure to apply the latest updates may increase customers’ exposure
to cyber threats.
To stay informed about product updates, subscribe to the Siemens Industrial Security RSS
Feed under https://www.siemens.com/industrialsecurity.
Firmware
The firmware is signed and encrypted. This ensures that only firmware created by Siemens
can be downloaded to the device.
License conditions
Note
Open source software
Read the license conditions for open source software carefully before using the product.
You will find license conditions in the following documents on the supplied data medium:
● M87x, M81x, M826, M804PB, S615: OSS_Scalance-M-800-S615_86.pdf
Trademarks
The following and possibly other names not identified by the registered trademark sign ® are
registered trademarks of Siemens AG:
SCALANCE, SINEMA, KEY-PLUG, C-PLUG

Preface

Table of contents
Preface ................................................................................................................................................... 3
1 Description ............................................................................................................................................ 13
1.1 Function ..................................................................................................................................13
1.2 Configuration examples ..........................................................................................................15
1.2.1 TeleControl with SINEMA RC .................................................................................................15
1.2.2 Secure access with S615 .......................................................................................................17
1.3 Requirements for operation ....................................................................................................18
1.3.1 Use in a PROFINET environment ...........................................................................................19
1.4 System functions .....................................................................................................................20
1.5 Configuration limits for WBM and CLI .....................................................................................22
1.6 Configuration limits for SINEMA RC .......................................................................................24
1.7 PLUG ......................................................................................................................................25
1.7.1 C-PLUG and KEY-PLUG ........................................................................................................25
1.7.2 PRESET PLUG .......................................................................................................................26
2 Security recommendation...................................................................................................................... 27
3 Technical basics ................................................................................................................................... 33
3.1 Structure of an IPv4 address ..................................................................................................33
3.2 ICMP .......................................................................................................................................35
3.3 VLAN .......................................................................................................................................37
3.3.1 VLAN .......................................................................................................................................37
3.3.2 VLAN tagging ..........................................................................................................................38
3.4 SNMP ......................................................................................................................................40
3.5 Security functions ....................................................................................................................43
3.5.1 User management ..................................................................................................................43
3.5.2 Firewall ....................................................................................................................................45
3.5.2.1 Firewall ....................................................................................................................................45
3.5.3 NAT .........................................................................................................................................49
3.5.4 NAT and firewall ......................................................................................................................50
3.5.5 Certificates ..............................................................................................................................53
3.5.6 VPN .........................................................................................................................................54
3.5.6.1 IPsec VPN ...............................................................................................................................54
3.5.6.2 OpenVPN ................................................................................................................................58
3.5.6.3 VPN connection establishment ...............................................................................................59
3.6 Redundancy ............................................................................................................................63
3.6.1 Spanning Tree ........................................................................................................................63
3.6.1.1 RSTP.......................................................................................................................................64
3.6.2 VRRPv3 ..................................................................................................................................65
4 Configuring with Web Based Management ............................................................................................ 67

Table of contents
4.1 Web Based Management ...................................................................................................... 67

4.2 Starting and logging in ........................................................................................................... 69
4.3 "Wizard" menu ....................................................................................................................... 73
4.3.1 Basic Wizard .......................................................................................................................... 73
4.3.2 IP ............................................................................................................................................ 74
4.3.3 Device .................................................................................................................................... 76
4.3.4 Time Settings ......................................................................................................................... 78
4.3.5 DDNS ..................................................................................................................................... 80
4.3.6 SINEMA RC ........................................................................................................................... 81
4.3.7 Summary ................................................................................................................................ 83
4.4 "Information" menu................................................................................................................. 85
4.4.1 Start Page .............................................................................................................................. 85
4.4.2 Versions ................................................................................................................................. 91
4.4.3 Identification & Maintenance .................................................................................................. 92
4.4.4 ARP Table .............................................................................................................................. 93
4.4.5 Log Tables ............................................................................................................................. 94
4.4.5.1 Event log ................................................................................................................................ 94
4.4.5.2 Security Log ........................................................................................................................... 96
4.4.5.3 Firewall Log ............................................................................................................................ 98
4.4.6 Faults ..................................................................................................................................... 99
4.4.7 DHCP Server ....................................................................................................................... 100
4.4.8 SNMP ................................................................................................................................... 101
4.4.9 LLDP .................................................................................................................................... 102
4.4.10 Routing Table ....................................................................................................................... 103
4.4.11 IPsec VPN ............................................................................................................................ 105
4.4.12 SINEMA RC ......................................................................................................................... 106
4.4.13 OpenVPN client.................................................................................................................... 108
4.4.14 Redundancy ......................................................................................................................... 109
4.4.14.1 Overview .............................................................................................................................. 109
4.4.14.2 Spanning Tree...................................................................................................................... 111
4.4.15 VRRPv3 Statistics ................................................................................................................ 114
4.4.16 Security ................................................................................................................................ 116
4.4.16.1 Overview .............................................................................................................................. 116
4.4.16.2 Supported Function Rights .................................................................................................. 119
4.4.16.3 Roles .................................................................................................................................... 120
4.4.16.4 Groups ................................................................................................................................. 121
4.5 "System" menu..................................................................................................................... 122
4.5.1 Configuration ........................................................................................................................ 122
4.5.2 General ................................................................................................................................ 126
4.5.2.1 Device .................................................................................................................................. 126
4.5.2.2 Coordinates .......................................................................................................................... 128
4.5.3 Restart .................................................................................................................................. 130
4.5.4 Load&Save........................................................................................................................... 132
4.5.4.1 File list .................................................................................................................................. 132
4.5.4.2 HTTP .................................................................................................................................... 134
4.5.4.3 TFTP .................................................................................................................................... 137
4.5.4.4 SFTP .................................................................................................................................... 141
4.5.4.5 Passwords ............................................................................................................................ 145
4.5.5 Events .................................................................................................................................. 146
4.5.5.1 Configuration ........................................................................................................................ 146

Table of contents
4.5.5.2 Severity Filters ......................................................................................................................149

4.5.6 SMTP client ...........................................................................................................................151
4.5.6.1 General .................................................................................................................................151
4.5.6.2 Recipient ...............................................................................................................................154
4.5.7 SNMP ....................................................................................................................................155
4.5.7.1 General .................................................................................................................................155
4.5.7.2 Traps .....................................................................................................................................158
4.5.7.3 v3 Groups .............................................................................................................................159
4.5.7.4 v3 users ................................................................................................................................162
4.5.8 System Time .........................................................................................................................165
4.5.8.1 Manual Setting ......................................................................................................................165
4.5.8.2 DST Overview .......................................................................................................................167
4.5.8.3 DST Configuration ................................................................................................................169
4.5.8.4 SNTP Client ..........................................................................................................................172
4.5.8.5 NTP Client .............................................................................................................................175
4.5.8.6 SIMATIC Time Client ............................................................................................................179
4.5.8.7 NTP Server ...........................................................................................................................180
4.5.9 Auto Logout ...........................................................................................................................182
4.5.10 Button ....................................................................................................................................183
4.5.11 Syslog client ..........................................................................................................................184
4.5.12 Fault Monitoring ....................................................................................................................186
4.5.12.1 Link Change ..........................................................................................................................186
4.5.13 PLUG ....................................................................................................................................188
4.5.13.1 Configuration .........................................................................................................................188
4.5.13.2 License ..................................................................................................................................191
4.5.14 Ping .......................................................................................................................................194
4.5.15 DCP Discovery......................................................................................................................195
4.5.16 DNS.......................................................................................................................................197
4.5.16.1 DNS Client ............................................................................................................................197
4.5.16.2 DNS Proxy ............................................................................................................................199
4.5.16.3 DDNS Client ..........................................................................................................................200
4.5.17 DHCP ....................................................................................................................................201
4.5.17.1 DHCP Client ..........................................................................................................................201
4.5.17.2 DHCP Server ........................................................................................................................203
4.5.17.3 DHCP Options ......................................................................................................................206
4.5.17.4 Static Leases ........................................................................................................................208
4.5.18 cRSP / SRS ..........................................................................................................................209
4.5.19 Proxy Server .........................................................................................................................211
4.5.20 SINEMA RC ..........................................................................................................................212
4.6 "Interfaces" menu ..................................................................................................................216
4.6.1 Ethernet ................................................................................................................................216
4.6.1.1 Overview ...............................................................................................................................216
4.6.1.2 Configuration .........................................................................................................................218
4.6.2 PPP .......................................................................................................................................220
4.6.2.1 Overview ...............................................................................................................................220
4.6.2.2 Configuration .........................................................................................................................221
4.7 "Layer 2" menu .....................................................................................................................224
4.7.1 Layer 2 configuration ............................................................................................................224
4.7.2 VLAN .....................................................................................................................................225
4.7.2.1 General .................................................................................................................................225
4.7.2.2 Port Based VLAN ..................................................................................................................229

Table of contents
4.7.3 Dynamic MAC Aging ............................................................................................................ 231

4.7.4 Spanning Tree...................................................................................................................... 232
4.7.4.1 General ................................................................................................................................ 232
4.7.4.2 ST general............................................................................................................................ 233
4.7.4.3 ST port ................................................................................................................................. 234
4.7.5 LLDP .................................................................................................................................... 239
4.8 "Layer 3" menu..................................................................................................................... 241
4.8.1 Static routes ......................................................................................................................... 241
4.8.2 Subnets ................................................................................................................................ 243
4.8.2.1 Overview .............................................................................................................................. 243
4.8.2.2 Configuration ........................................................................................................................ 245
4.8.3 NAT ...................................................................................................................................... 247
4.8.3.1 Masquerading ...................................................................................................................... 247
4.8.3.2 NAPT .................................................................................................................................... 247
4.8.3.3 Source NAT.......................................................................................................................... 249
4.8.3.4 NETMAP .............................................................................................................................. 252
4.8.4 VRRPv3 ............................................................................................................................... 255
4.8.4.1 Router .................................................................................................................................. 255
4.8.4.2 Configuration ........................................................................................................................ 258
4.8.4.3 Address overview ................................................................................................................. 260
4.8.4.4 Address Configuration ......................................................................................................... 261
4.8.4.5 Interface Tracking ................................................................................................................ 262
4.9 "Security" menu.................................................................................................................... 264
4.9.1 Users .................................................................................................................................... 264
4.9.1.1 Local users ........................................................................................................................... 264
4.9.1.2 Roles .................................................................................................................................... 268
4.9.1.3 Groups ................................................................................................................................. 269
4.9.2 Passwords ............................................................................................................................ 271
4.9.3 AAA ...................................................................................................................................... 273
4.9.3.1 General ................................................................................................................................ 273
4.9.3.2 RADIUS client ...................................................................................................................... 274
4.9.4 Certificates ........................................................................................................................... 277
4.9.4.1 Overview .............................................................................................................................. 277
4.9.4.2 Certificates ........................................................................................................................... 279
4.9.5 Firewall ................................................................................................................................. 282
4.9.5.1 General ................................................................................................................................ 282
4.9.5.2 Predefined IPv4 rules ........................................................................................................... 283
4.9.5.3 User-specific ........................................................................................................................ 284
4.9.5.4 IP services ............................................................................................................................ 287
4.9.5.5 ICMP services ...................................................................................................................... 288
4.9.5.6 IP protocols .......................................................................................................................... 289
4.9.5.7 IP rules ................................................................................................................................. 290
4.9.6 IPsec VPN ............................................................................................................................ 293
4.9.6.1 General ................................................................................................................................ 293
4.9.6.2 Remote End ......................................................................................................................... 294
4.9.6.3 Connections ......................................................................................................................... 296
4.9.6.4 Authentication ...................................................................................................................... 298
4.9.6.5 Phase 1 ................................................................................................................................ 300
4.9.6.6 Phase 2 ................................................................................................................................ 302
4.9.7 OpenVPN client.................................................................................................................... 304
4.9.7.1 General ................................................................................................................................ 304

Table of contents
4.9.7.2 Connections ..........................................................................................................................305

4.9.7.3 Remote .................................................................................................................................307
4.9.7.4 Authentication .......................................................................................................................308
5 Upkeep and maintenance ................................................................................................................... 311
5.1 Device configuration with PRESET-PLUG ...........................................................................311
5.2 Firmware update using WBM not possible ...........................................................................315
5.3 Restoring the factory settings ...............................................................................................317
A Appendix A ......................................................................................................................................... 319
A.1 Format of the syslog messages ............................................................................................319
A.2 Parameters in Syslog messages ..........................................................................................320
A.3 Syslog messages ..................................................................................................................322
A.3.1 Syslog messages SR7.4 ........................................................Fehler! Textmarke nicht definiert.
Index................................................................................................................................................... 335

Table of contents

Description 1
1.1 Function
Configuration
Configuration of all parameters using the
● Web Based Management (WBM) via HTTP and HTTPS.
● Command Line Interface (CLI) via Telnet and SSH.
Security functions
● Router with NAT function
– IP masquerading
– NAPT
– SourceNAT
– NETMAP
● Password protection
● Firewall function
– Port forwarding
– IP firewall with stateful packet inspection (layer 3 and 4)
– Global and user-defined firewall rules
● VPN functions
To establish a VPN (Virtual Private Network), the following functions are available
– IPsec VPN
– OpenVPN client
● SINEMA RC client
● Proxy server
● Siemens Remote Service (SRS)

Description
1.1 Function
Monitoring / diagnostics / maintenance

● LEDs
Display of operating statuses via the LED display. You will find further information on this
in the Operating Instructions of the device.
● Logging
For monitoring have the events logged.
● SNMP
For monitoring and controlling network components such as routers or switches from a
central station.
Other functions
● Time-of-day synchronization
– NTP client and NTP server
– Secure NTP server
– SIMATIC Time Client
– SNTP Client
● DHCP
– DHCP server (local network)
– DHCP client
● Virtual networks (VLAN)
To structure Industrial Ethernet networks with a fast growing number of nodes, a physical
network can be divided into several virtual subnets
● Digital input/digital output
● Dynamic DNS client
● DNS client / DNS proxy
● SMTP client
● TIA Portal Cloud Connector (SCALANCE M804PB)

Description
1.2 Configuration examples
1.2.1 TeleControl with SINEMA RC

In this configuration, the remote maintenance master station is a connected to the
Internet/intranet via the SINEMA Remote Connect Server. The stations communicate via
SCALANCE M874 or SCALANCE S615 that establish a VPN tunnel to the SINEMA RC
server server. In the master station, the SINEMA SINEMA RC client establishes a VPN
tunnel to the SINEMA RC Server.
The devices must log on to the SINEMA RC server. The VPN tunnel between the device and
the SINEMA RC Server is established only after successful authentication. Depending on the
configured communications relations and the security settings, the SINEMA RC server
connects the individual VPN tunnels.

Description
Procedure
To be able to access a plant via a remote maintenance master station, follow the steps
below:
1. Establish the Ethernet connection between the S615 and the connected Admin PC.
2. Create the devices and node groups on the SINEMA RC Server.
3. Configure the connection to the SINEMA RC server on the device, refer to the section
SINEMA RC (Page 212).
4. Set up the connected applications of the plant for data communication.

Description
1.2.2 Secure access with S615
Secure remote access and network segmentation with SCALANCE S615

A secure connection for data exchange between an automation plant and remote stations
will be established via the Internet and mobile wireless network. At the same time, a secure
connection will be established when necessary for service purposes. This connection is,
however, restricted to a specific plant section or a specific machine.
In the automation plant, a SCALANCE S615 is connected to the Internet via the ADSL+
router M812-1. The remote stations will be connected to the Internet via the LTE-CP 1243-7
or the HSPA+ router SCALANCE M874-3. The devices establish a VPN connection to the
SCALANCE S615 via which data can be exchanged securely.
When necessary, the service technician connects to the Internet. With the SOFTNET
Security Client, he or she establishes a secure VPN connection to the S615. Various IP
subnets are connected to the S615 between which the integrated firewall checks
communication. This allows the communication of the service technician to be restricted to a
specific IP subnet.

Description
1.3 Requirements for operation
Power supply
A power supply with a voltage between 12 VDC and 24 VDC that can provide sufficient
current.
You will find further information on this in the device-specific operating instructions.
Configuration
In the factory settings, the SCALANCE S615 can be reached as follows for initial
configuration:
Default values set in the factory

Ethernet interface for the configu- P1 ... P4 (vlan 1)
ration
(internal)
Ethernet interface for the connec- P5 (vlan 2)
tion to WAN
(external)
IP address 192.168.1.1
Subnet mask 255.255.255.0
WBM Access using HTTPS: TCP port 443
CLI Access using SSH, TCP port 22
User name admin
The user name can be changed after the first logon or after a
"Restore Factory Defaults and Restart". Afterwards, renaming
"admin" is no longer possible.
Password admin
The password needs to be changed after the first logon or after a
"Restore Factory Defaults and Restart"
You will find more information in "Web Based Management (Page 67)" and in "Starting and
logging in (Page 69)".

Description
1.3.1 Use in a PROFINET environment
Note
Validity of CCA declaration
The CCA declaration applies to PROFINET RT without the use in media redundancy
structures.
Configuration information
When using the device in a PROFINET environment, follow the following configuration
instructions:
● Set the "Aging Time" to 45 seconds.
● Disable Spanning Tree and enable Passive Listening.

Description
1.4 System functions
Availability of the system functions

The following table shows the availability of the system functions. Note that all functions are
described in this configuration manual and in the online help. Depending on the KEY-PLUG,
some functions are not available.
We reserve the right to make technical changes.
SCALANCE
S615
Basic Wizard IP settings ✓
Device Settings ✓
Time settings ✓
SINEMA RC 1) ✓
DDNS ✓
Information ARP Table ✓
Log Tables ✓
VRRPv3 Statistics ✓
Redundancy ✓
SINEMA RC 1) ✓
System SMTP client ✓
SNMP ✓
Time setting ✓
Automatic logout ✓
Syslog client ✓
Fault Monitoring ✓
PLUG ✓
SMS ✓
DNS ✓
DHCP Client ✓
DHCP Server ✓
cRSP/SRS ✓
Proxy Server ✓
SINEMA RC1) ✓
Interfaces Ethernet ✓
PPP ✓

Description
SCALANCE
S615
Layer 2 Configuration ✓
VLAN ✓
Dynamic MAC aging ✓
Spanning Tree ✓
LLDP ✓
Layer 3 Static routes ✓
Subnets ✓
NAT ✓
VRRPv3 ✓
Security User ✓
Passwords ✓
AAA (Authentication, Authori- ✓
zation, Accounting)
Certificates ✓
Firewall ✓
IPsec VPN ✓
OpenVPN ✓
1) KEY-PLUG SINEMA Remote Connect 6GK5908-0PB00

Description
1.5 Configuration limits for WBM and CLI
Configuration limits of the device

The following table lists the configuration limits for Web Based Management and the
Command Line Interface of the device.
Depending on your device, some functions are not available.
Configurable function Maximum number

System Syslog server 3
SMTP server 3
E-mail recipient 60
20 per SMTP server
SNMPv1 trap recipient 10
SNTP server 2
NTP server 3
One per layer 3 interface
DHCP pools 8
IPv4 addresses managed by the DHCP server (dy- 100
namic + static)
Static assignments per DHCP pool 20
DHCP options 9
(1, 2, 3, 4, 5, 6, 42, 66, 67)
SINEMA RC 1
Proxy server 5
Layer 2 Virtual LANs (port-based; including VLAN 1) 16
Maximum frame size 2048 bytes
Layer 3 IP interfaces 12
Static routes 100
NETMAP 256
SourceNAT 32
NAPT 32
VRRPv3 VRRPv3 instances (VRID): 2
Assigned IP addresses: 1 per
VRID

Description
Configurable function Maximum number

Security Users 30
(incl. user preset in the factory
"admin")
Groups 32
Roles 32
(incl. the predefined roles)
RADIUS server 4
Firewall IP protocols:16
IP services:32
ICMP services:16
IP rules: 128
User-specific firewall:
• Maximum number: 8 rule sets
• Parallel user access: 4
• Maximum of 128 IP rules per
firewall rule set
IPsec VPN 20
You can create a maximum of 20
phase 2 connections per phase 1.
OpenVPN Connections: 5
Remote end points: 25

Description
1.6 Configuration limits for SINEMA RC
1.6 Configuration limits for SINEMA RC

Maximum overall data transfer for all devices: 800 Mbps
Maximum number of devices and users connected simultaneously: 1024 devices with 1
subnet each
User/device combinations can be freely selected up to the maximum overall quantity
structure.
As the number of subnets is also dependent on the communication relationships permitted
among one another, for example, these must be checked/questioned and restricted, where
necessary. If devices do not need to communicate with one another, this function should be
disabled to ensure optimum device behavior.
If the devices are to communicate with each other, the maximum number of devices and
users connected simultaneously is: 200 devices with 8 subnets each communicating with
each other

Description
1.7 PLUG
1.7 PLUG
1.7.1 C-PLUG and KEY-PLUG
How it works
The C-PLUG or KEY-PLUG is used to transfer the configuration of the old device to the new
device when a device is replaced.
NOTICE
Do not remove or insert a C-PLUG / KEY-PLUG during operation!
A PLUG may only be removed or inserted when the device is turned off.
The device checks whether or not a PLUG is present at one second intervals. If it is
detected that the PLUG was removed, there is a restart.
If a valid KEY-PLUG was inserted in the device, the device changes to a defined error state
following the restart.
When the new device starts up with the PLUG, it then continues automatically with exactly
the same configuration as the old device. One exception to this can be the IP configuration if
it is set over DHCP and the DHCP server has not been reconfigured accordingly.
A reconfiguration is necessary if you use functions based on MAC addresses.
If an incorrect PLUG, for example from another product or a damaged PLUG is inserted, the
device signals an error with the "F" LED.
You can either remove the PLUG again or select the option to reformat the PLUG.
In terms of the PLUG, devices work in two modes:
● Without PLUG
The device stores the configuration in internal memory. This mode is active when no
PLUG is inserted.
● With PLUG
The configuration stored on the PLUG is displayed in WBM in "Information > PLUG". If
changes are made to the configuration, the device stores the configuration directly on the
PLUG and in the internal memory. This mode is active as soon as a PLUG is inserted. As
soon as the device is started with a PLUG inserted, the device starts up with the
configuration data on the PLUG.

Description
1.7 PLUG
License information on the KEY-PLUG

In addition to the configuration, the KEY-PLUG also contains a license that allows the use of
Siemens Remote Services.
Type Properties Article number

C-PLUG Exchangeable storage medium (32 MB) for the 6GK1900-0AB00
configuration data
Exchangeable storage medium (256 MB) for 6GK1900-0AB10
the configuration data
KEY-PLUG SINEMA RC Exchangeable storage medium (256 MB) to 6GK5908-0PB00
enable the connection functionality to SINEMA
Remote Connect and for accepting configura-
tion data.
1.7.2 PRESET PLUG
PLUG with preset function (PRESET-PLUG)

With PRESET-PLUG it is possible to install the same configuration and the firmware
belonging to it on several devices.
Note
Using configurations with DHCP
Create a PRESET-PLUG only from device configurations that use DHCP. Otherwise
disruptions will occur in network operation due to multiple identical IP addresses.
You assign fixed IP addresses extra following the basic installation.
In a PLUG that was configured as a PRESET-PLUG, the device configuration, user

accounts, certificates and the firmware are stored.
Note
Restore factory defaults and restart with a PRESET PLUG inserted
If you reset a device to the factory defaults, when the device restarts an inserted PRESET
PLUG is formatted and the PRESET PLUG functionality is lost. You then need to create a
new PRESET PLUG.
We recommend that you remove the PRESET PLUG before you reset the device to the
factory settings.
For more detailed information on creating and using a PRESET PLUG refer to the section
Device configuration with PRESET-PLUG (Page 311).

Security recommendation 2
To prevent unauthorized access, note the following security recommendations.
A checklist supports you in setting up your device. You can find the checklist at the following
address: (https://support.industry.siemens.com/cs/ww/en/view/109745536)
General
● You should make regular checks to make sure that the device meets these
recommendations and/or other security guidelines.
● Evaluate your plant as a whole in terms of security. Use a cell protection concept with
suitable products:
Link: (https://www.industry.siemens.com/topics/global/en/industrial-
security/pages/default.aspx)
● When the internal and external network are disconnected, an attacker cannot access
internal data from the outside. Therefore operate the device only within a protected
network area.
● Use VPN to encrypt and authenticate communication from and to the devices.
● For data transmission via a non-secure network use an encrypted VPN tunnel (IPsec,
Open VPN).
● Separate connections correctly (WBM. Telnet, SSH etc.).
Physical access
● Limit physical access to the device to qualified personnel.
The memory card or the PLUG (C-PLUG, KEY-PLUG) contains sensitive data such as
certificates, keys etc. that can be read out and modified.
● Lock unused physical ports on the device. Unused ports can be used to gain forbidden
access to the plant.
Software (security functions)

● Keep the software up to date. Check regularly for security updates of the product.
You will find information on this on the Internet pages "Industrial Security
(https://www.siemens.com/industrialsecurity)".
● Inform yourself regularly about security advisories and bulletins published by Siemens
ProductCERT (https://www.siemens.com/cert/en/cert-security-advisories.htm).
● Only activate protocols that you really require to use the device.
● Restrict access to the management of the device with firewall rules.
● The option of VLAN structuring provides good protection against DoS attacks and
unauthorized access. Check whether this is practical or useful in your environment.

Security recommendation
● Use a central logging server to log changes and accesses. Operate your logging server
within the protected network area and check the logging information regularly.
● We recommend formatting a PLUG that is not being used.
Passwords
● Define rules for the use of devices and assignment of passwords.
● Regularly update passwords and keys to increase security.
● Change all default passwords for users before you operate the device.
● Only use passwords with a high password strength. Avoid weak passwords for example
password1, 123456789, abcdefgh.
● Make sure that all passwords are protected and inaccessible to unauthorized personnel.
● Do not use the same password for different users and systems or after it has expired.
Keys and certificates

This section deals with the security keys and certificates you require to set up TLS, VPN
(IPsec, OpenVPN) and SINEMA RC.
● The device contains a pre-installed X.509 certificate with key. Replace this certificate with
a self-made certificate with key. We recommend that you use a certificate signed by a
reliable external or internal certification authority.
● Use the certification authority including key revocation and management to sign the
certificates.
● Make sure that user-defined private keys are protected and inaccessible to unauthorized
persons.
● Verify certificates and fingerprints on the server and client to prevent "man in the middle"
attacks.
● It is recommended that you use password-protected certificates in the PKCS#12 format.
● It is recommended that you use certificates with a key length of at least 2048 bits.
● Change keys and certificates immediately, if there is a suspicion of compromise.

Secure/non-secure protocols
● Avoid or disable non-secure protocols, for example Telnet and TFTP. For historical
reasons, these protocols are still available, however not intended for secure applications.
Use non-secure protocols on the device using a secure connection (e.g. SINEMA RC).
● Avoid or disable non-secure protocols. Check whether use of the following protocols is
necessary:
– Telnet
– HTTP
– Broadcast pings
– Non authenticated and unencrypted interfaces
– ICMP (redirect)
– LLDP
– Syslog
– DHCP Options 66/67
– SNTP
– NTP
– TFTP
– TIA Portal Cloud Connector
● The following protocols provide secure alternatives:
– SNMPv1/v2 → SNMPv3
Check whether use of SNMPv1 is necessary. SNMPv1 is classified as non-secure.
Use the option of preventing write access. The product provides you with suitable
setting options.
If SNMP is enabled, change the community names. If no unrestricted access is
necessary, restrict access with SNMP.
– HTTP → HTTPS
– Telnet → SSH
– NTP → Secure NTP
– SNTP → Secure NTP
– TFTP → SFTP
– TIA Portal Cloud Connector using a secure connection.
Use the "TIA Portal Cloud Connector" integrated in the product over a VPN solution
(e.g. SINEMA RC).
Configure the firewall settings of the SCALANCE M800/S615 (e.g. predefined IPv4
rules "Cloud Connector" to prevent unauthorized access of network devices to the
"TIA Portal Cloud Connector Server").
● Use secure protocols when access to the device is not prevented by physical protection
measures.

● To prevent unauthorized access to the device or network, take suitable protective

measures against non-secure protocols.
● If you require non-secure protocols and services, activate these at interfaces that are
located within a protected network area.
● Using a firewall, restrict the services and protocols available to the outside to a minimum.
● For the DCP function, enable the "DCP read-only" mode after commissioning.
List of available protocols

The following is a list of all available services and their ports through which the device can be
accessed.
Service Protocol/ Default port status Configurable Authentication Encryption

Port number Local access External access Service Port
1)
DHCP client UDP/68 Closed Closed ✓ -- -- --

DHCP server UDP/67 Closed 2) Closed 3) ✓ -- -- --
DNS client TCP/53 Outgoing only Outgoing only ✓ -- -- --
UDP/53
DNS server TCP/53 Open 4) Closed ✓ -- -- --
UDP/53
DynDNS TCP/80 Outgoing only Outgoing only ✓ -- ✓ --
HTTP TCP/80 Open Closed -- -- ✓ --
HTTP Proxy TCP/80 Outgoing only Outgoing only ✓ ✓ Optional --
TCP/443
HTTPS TCP/443 Open Closed ✓ -- ✓ ✓
IPsec/IKE UDP/500 Closed Closed ✓ -- ✓ ✓
UDP/4500
NTP client UDP/123 Outgoing only Outgoing only ✓ ✓ -- --
NTP client (se- UDP/123 Outgoing only Outgoing only ✓ ✓ ✓ --
cure)
NTP server UDP/123 Closed Closed ✓ ✓ -- --
NTP server UDP/123 Closed Closed ✓ ✓ ✓ --
(secure)
OpenVPN UDP/1194 Outgoing only Outgoing only ✓ ✓ ✓ ✓
TCP/1194
Ping ICMP Open Closed ✓ -- ✓ --
PROFINET UDP/34964 Closed Closed -- -- -- --
RADIUS client TCP/1812 Outgoing only Outgoing only ✓ ✓ ✓ --
UDP/1812
SFTP TCP/22 Outgoing only Outgoing only ✓ ✓ ✓ ✓
Siemens Re- TCP/443 Outgoing only Outgoing only ✓ -- Optional ✓
mote Service
(cRSP/SRS)

Service Protocol/ Default port status Configurable Authentication Encryption

Port number Local access External access Service Port
1)
SINEMA RC HTTPS/443 Outgoing only Outgoing only ✓ ✓ ✓ ✓

and TCP/UDP
depending on
the server
configuration
SMTP TCP/25 Outgoing only Outgoing only ✓ ✓ -- --
SMTP (Secure) TCP/465 Outgoing only Outgoing only ✓ ✓ Optional ✓
TCP/587
SNMPv1 UDP/161 Open Closed ✓ -- -- --
SNMPv3 UDP/161 Open Closed ✓ -- Optional Optional
SNTP UDP/123 Closed Closed ✓ -- -- --
SSH TCP/22 Open Closed ✓ -- ✓ ✓
Syslog UDP/514 Outgoing only Outgoing only ✓ ✓ -- --
Telnet TCP/23 Closed Closed ✓ -- ✓ --
TFTP UDP/69 Outgoing only Outgoing only ✓ ✓ -- --
TIA Portal Cloud TCP/9023 Closed Closed ✓ ✓ -- --
Connector 5)
1) SCALANCE M826 and M804PB can only be accessed via vlan1 when delivered (factory setting).
2) Only open with SCALANCE M826
3) Only open with SCALANCE S615
4) Only closed with SCALANCE S615
5) Only with SCALANCE M804PB
Explanation for table:

● Default port status
The port status on delivery (factory setting) distinguishes between local and external
access.
– Local access: The port is accessed via a local connection (vlan1).
– External access: The port is accessed via an external connection (vlan2).
● Service / Port configurable
Indicates whether the port number or the service can be configured via WBM / CLI.
● Authentication
Specifies whether the communication partner is authenticated.
If optional, the authentication can be configured as required.
● Encryption
Specifies whether the transfer is encrypted.
If optional, the encryption can be configured as required.


Technical basics 3
3.1 Structure of an IPv4 address
Address classes
IP address range Max. number of networks Max. number of Class CIDR

hosts/network
1.x.x.x through 126.x.x.x 126 16777214 A /8
128.0.x.x through 191.255.x.x 16383 65534 B /16
192.0.0.x through 223.255.255.x 2097151 254 C /24
224.0.0.0 - 239.255.255.255 Multicast applications D
240.0.0.0 - 255.255.255.255 Reserved for future applications E
An IP address consists of 4 bytes. Each byte is represented in decimal, with a dot separating
it from the previous one. This results in the following structure, where XXX stands for a
number between 0 and 255:
XXX.XXX.XXX.XXX
The IP address is made up of two parts, the network ID and the host ID. This allows different
subnets to be created. Depending on the bytes of the IP address used as the network ID and
those used for the host ID, the IP address can be assigned to a specific address class.
Subnet mask
The bits of the host ID can be used to create subnets. The leading bits represent the address
of the subnet and the remaining bits the address of the host in the subnet.
A subnet is defined by the subnet mask. The structure of the subnet mask corresponds to
that of an IP address. If a "1" is used at a bit position in the subnet mask, the bit belongs to
the corresponding position in the IP address of the subnet address, otherwise to the address
of the computer.
Example of a class B network:
The standard subnet address for class B networks is 255.255.0.0; in other words, the last
two bytes are available for defining a subnet. If 16 subnets must be defined, the third byte of
the subnet address must be set to 11110000 (binary notation). In this case, this results in the
subnet mask 255.255.240.0.
To find out whether two IP addresses belong to the same subnet, the two IP addresses and
the subnet mask are ANDed bit by bit. If both logic operations have the save result, both IP
addresses belong to the same subnet, for example, 141.120.246.210 and 141.120.252.108.

Technical basics
3.1 Structure of an IPv4 address
Outside the local area network, the distinction between network ID and host ID is of no
significance, in this case packets are delivered based on the entire IP address.
Note
In the bit representation of the subnet mask, the "ones" must be set left-justified; in other
words, there must be no "zeros" between the "ones".

Technical basics
3.2 ICMP
3.2 ICMP
The acronym ICMP stands for Internet Control Message Protocol (RFC792) and is used to
exchange error and information messages.
● Error message
Informs the sender of the IP frame that when forwarding the frame an error or a
parameter problem occurred.
● Information message
Can contain information about the time measurement, the address mask, the reachability
of the destination or for finding the router.
Structure of the ICMP data packet
0 4 8 12 16 20 24 28 31
ICMP packet type Code Checksum
Type of message Further details of the
message
Data (optional)
● ICMP packet type

The most important ICMP packet types are as follows:
– Redirect
The router informs the host in one of its subnets that there is a better route to the
destination. This ICMP packet type is dealt with in more detail in the following
description.
– Destination Unreachable
IP frame cannot be delivered.
– Time Exceeded
Time limit exceeded
– Echo-Request
Echo request, better known as ping.
● Code
The code describes the ICMP packet type in greater detail. The selection depends on the
selected ICMP packet type. With "Destination Unreachable,", for example "Code 1" host
cannot be reached.
You will find a full list of the ICMP packet types and codes on the website of IANA
(https://www.iana.org/assignments/icmp-parameters).

Technical basics
3.2 ICMP
ICMP packet type 5 - Redirect
Host A wants to send an IP frame to host C. Host C is not located in the same subnet as
host A. For this reason host A sends the IP frame to its default gateway. The default gateway
of host A is interface 1 of router A. Router A cannot forward the IP frame because it does not
know the destination network. Via its routing table, however, router A knows that subnet C is
reachable via router B. Router B connects subnet A with subnet C. Router A sends a redirect
message to host A. In this, router A instructs host A in future to send IP frames to host C via
router B whose IP address is contained in the redirect message. The initial IP frame is sent
by router A directly to router B that forwards it to Host C.
Conditions for sending redirect messages

● The IP frame is received and sent via the same interface of router A.
● The source IP address (host A) is from the same subnet as the next hop address (router
B) in the routing table.
● The IP frame is not affected by a source NAT rule (masquerading, source NAT or
NETMAP).
● So that router A forwards the initial IP frame to router B, a firewall rule vlanX → vlanX is
required.

Technical basics
3.3 VLAN
3.3 VLAN
3.3.1 VLAN
Network definition regardless of the spatial location of the nodes

VLAN (Virtual Local Area Network) divides a physical network into several logical networks
that are shielded from each other. Here, devices are grouped together to form logical groups.
Only nodes of the same VLAN can address each other. Since multicast and broadcast
frames are only forwarded within the particular VLAN, they are also known as broadcast
domains.
The particular advantage of VLANs is the reduced network load for the nodes and network
segments of other VLANs.
To identify which packet belongs to which VLAN, the frame is expanded by 4 bytes, refer to
VLAN tagging (Page 38). This expansion includes not only the VLAN ID but also priority
information.
Options for the VLAN assignment

There are various options for the assignment to VLANs:
● Port-based VLAN
Each port of a device is assigned a VLAN ID. You configure port-based VLAN in "Layer 2
> VLAN > Port-based VLAN (Page 229)".
● Protocol-based VLAN
Each port of a device is assigned a protocol group.
● Subnet-based VLAN
The IP address of the device is assigned a VLAN ID.
VLAN assignment on the device

In the factory settings, the following assignments are made on the SCALANCE S615:
P1 to P4 vlan1
For access from the local network (LAN) to the
device
P5 vlan2
For access from the external network (WAN) to
the device
You can change the assignment in "Layer 2 > VLAN > General (Page 225)".
The VLANs are in different IP subnets. To allow these to communicate with each other, the
route and firewall rule must be configured on the device.

Technical basics
3.3 VLAN
3.3.2 VLAN tagging
Expansion of the Ethernet frames by four bytes

For CoS (Class of Service, frame priority) and VLAN (virtual network), the IEEE 802.1Q
standard defined the expansion of Ethernet frames by adding the VLAN tag.
Note
The VLAN tag increases the permitted total length of the frame from 1518 to 1522 bytes.
The end nodes on the networks must be checked to find out whether they can process this
length / this frame type. If this is not the case, only frames of the standard length may be
sent to these nodes.
The additional 4 bytes are located in the header of the Ethernet frame between the source
address and the Ethernet type / length field:
Figure 3-1 Structure of the expanded Ethernet frame
The additional bytes contain the tag protocol identifier (TPID) and the tag control information
(TCI).
Tag protocol identifier (TPID)

The first 2 bytes form the Tag Protocol Identifier (TPID) and always have the value 0x8100.
This value specifies that the data packet contains VLAN information or priority information.
Tag Control Information (TCI)

The 2 bytes of the Tag Control Information (TCI) contain the following information:
QoS Trust

Technical basics
3.3 VLAN
The tagged frame has 3 bits for the priority that is also known as Class of Service (CoS), see
also IEEE 802.1Q.
CoS bits Priority Type of the data traffic

000 0 (lowest) Background
001 1 Best Effort
010 2 Excellent Effort
011 3 Critical Applications
100 4 Video, < 100 ms delay (latency and jitter)
101 5 Voice (language), < 10 ms delay (latency and jitter)
110 6 Internetwork Control
111 7 (highest) Network Control
The prioritization of the data packets is possible only if there is a queue in the components in
which they can buffer data packets with lower priority.
The device has multiple parallel queues in which the frames with different priorities can be
processed. As default, first, the frames with the highest priority are processed. This method
ensures that the frames with the highest priority are sent even if there is heavy data traffic.
Canonical Format Identifier (CFI)
The CFI is required for compatibility between Ethernet and the token Ring.
The values have the following meaning:
Value Meaning
0 The format of the MAC address is canonical. In the canonical representation of the MAC
address, the least significant bit is transferred first. Standard-setting for Ethernet switches.
1 The format of the MAC address is not canonical.
VLAN ID
In the 12-bit data field, up to 4096 VLAN IDs can be formed. The following conventions
apply:
VLAN ID Meaning
0 The frame contains only priority information (priority tagged frames) and no valid
VLAN identifier.
1- 4094 Valid VLAN identifier, the frame is assigned to a VLAN and can also include priori-
ty information.
4095 Reserved

Technical basics
3.4 SNMP
3.4 SNMP
Introduction
With the aid of the Simple Network Management Protocol (SNMP), you monitor and control
network components from a central station, for example routers or switches. SNMP controls
the communication between the monitored devices and the monitoring station.
Tasks of SNMP:
● Monitoring of network components
● Remote control and remote parameter assignment of network components
● Error detection and error notification
In versions v1 and v2c, SNMP has no security mechanisms. Each user in the network can
access data and also change parameter assignments using suitable software.
For the simple control of access rights without security aspects, community strings are used.
The community string is transferred along with the query. If the community string is correct,
the SNMP agent responds and sends the requested data. If the community string is not
correct, the SNMP agent discards the query. Define different community strings for read and
write permissions. The community strings are transferred in plain text.
Standard values of the community strings:
● public
has only read permissions
● private
has read and write permissions
Note
Because the SNMP community strings are used for access protection, do not use the
standard values "public" or "private". Change these values following the initial
commissioning.
Further simple protection mechanisms at the device level:

● Allowed Host
The IP addresses of the monitoring systems are known to the monitored system.
● Read Only
If you assign "Read Only" to a monitored device, monitoring stations can only read out
data but cannot modify it.

Technical basics
3.4 SNMP
SNMP data packets are not encrypted and can easily be read by others.
The central station is also known as the management station. An SNMP agent is installed on
the devices to be monitored with which the management station exchanges data.
The management station sends data packets of the following type:
● GET
Request for a data record from the SNMP agent
● GETNEXT
Calls up the next data record.
● GETBULK (available as of SNMPv2c)
Requests multiple data records at one time, for example several rows of a table.
● SET
Contains parameter assignment data for the relevant device.
The SNMP agent sends data packets of the following type:
● RESPONSE
The SNMP agent returns the data requested by the manager.
● TRAP
If a certain event occurs, the SNMP agent itself sends traps.
SNMPv1/v2c/v3 use UDP (User Datagram Protocol) and use the UDP ports 161 and 162.
The data is described in a Management Information Base (MIB).

Technical basics
3.4 SNMP
SNMPv3
Compared with the previous versions SNMPv1 and SNMPv2c, SNMPv3 introduces an
extensive security concept.
SNMPv3 supports:
● Fully encrypted user authentication
● Encryption of the entire data traffic
● Access control of the MIB objects at the user/group level
With the introduction of SNMPv3 you can no longer transfer user configurations to other
devices without taking special action, e.g. by loading a configuration file or replacing the C-
PLUG.
According to the standard, the SNMPv3 protocol uses a unique SNMP engine ID as an
internal identifier for an SNMP agent. This ID must be unique in the network. It is used to
authenticate access data of SNMPv3 users and to encrypt it.
Depending on whether you have enabled or disabled the “SNMPv3 User Migration” function,
the SNMP engine ID is generated differently.
Restriction when using the function
Use the "SNMPv3 User Migration" function only to transfer configured SNMPv3 users to a
substitute device when replacing a device.
Do not use the function to transfer configured SNMPv3 users to multiple devices. If you load
a configuration with created SNMPv3 users on several devices, these devices use the same
SNMP engine ID. If you use these devices in the same network, your configuration
contradicts the SNMP standard.
Compatibility with predecessor products
You can only transfer SNMPv3 users to a different device if you have created the users as
migratable users. To create a migratable user the "SNMPv3 User Migration" function must
be activated when you create the user.

Technical basics
3.5 Security functions
3.5.1 User management
Overview of user management

Access to the device is managed by configurable user settings. Set up users with a
password for authentication. Assign a role with suitable rights to the users.
The authentication of users can either be performed locally by the device or by an external
RADIUS server. You configure how the authentication is handled on the "Security > AAA >
General" page.
Local logon
The local logging on of users by the device runs as follows:
1. The user logs on with user name and password on the device.
2. The device checks whether an entry exists for the user.
→ If an entry exists, the user is logged in with the rights of the associated role.
→ If no corresponding entry exists, the user is denied access.
Login via an external RADIUS server

RADIUS (Remote Authentication Dial-In User Service) is a protocol for authenticating and
authorizing users by servers on which user data can be stored centrally.
Depending on the RADIUS authorization mode you have selected on the "Security > AAA >
RADIUS Client" page, the device evaluates different information of the RADIUS server.
RADIUS authorization mode "Standard"

If you have set the authorization mode "conventional", the authentication of users via a
RADIUS server runs as follows:
2. The device sends an authentication request with the login data to the RADIUS server.
3. The RADIUS server runs a check and signals the result back to the device.
– The RADIUS server reports a successful authentication and returns the value
"Administrative User" to the device for the attribute "Service Type".
→ The user is logged in with administrator rights.

Technical basics
– The RADIUS server reports a successful authentication and returns a different or even
no value to the device for the attribute "Service Type".
→ The user is logged in with read rights.
– The RADIUS server reports a failed authentication to the device:
→ The user is denied access.
RADIUS authorization mode "SiemensVSA"

Requirement
For the RADIUS authorization mode "Siemens VSA" the following needs to be set on the
RADIUS server:
● Manufacturer code: 4196
● Attribute number: 1
● Attribute format: Character string (group name)
Procedure
If you have set the authorization mode "SiemensVSA", the authentication of users via a
RADIUS server runs as follows:
2. The device sends an authentication request with the login data to the RADIUS server.
3. The RADIUS server runs a check and signals the result back to the device.
Case A: The RADIUS server reports a successful authentication and returns the group
assigned to the user to the device.
– The group is known on the device and the user is not entered in the table "External
User Accounts"
→ The user is logged in with the rights of the assigned group.
– The group is known on the device and the user is entered in the table "External User
Accounts"
→ The user is assigned the role with the higher rights and logged in with these rights.
– The group is not known on the device and the user is entered in the table "External
User Accounts"
→ The user is logged in with the rights of the role linked to the user account.
– The group is not known on the device and the user is not entered in the table "External
User Accounts"
→ The user is logged in with the rights of the role "Default".

Technical basics
Case B: The RADIUS server reports a successful authentication but does not return a
group to the device.
– The user is entered in the table "External User Accounts":
→ The user is logged in with the rights of the linked role "".
– The user is not entered in the table "External User Accounts":
→ The user is logged in with the rights of the role "Default".
Case C: The RADIUS server reports a failed authentication to the device:
– The user is denied access.
3.5.2 Firewall
3.5.2.1 Firewall
The security functions of the device include a stateful inspection firewall. This is a method of
packet filtering or packet checking.
The IP packets are checked based on firewall rules in which the following is specified:
● The permitted protocols
● IP addresses and ports of the permitted sources
● IP addresses and ports of the permitted destinations
If an IP packet fits the specified parameters, it is allowed to pass through the firewall. The
rules also specify what is done with IP packets that are not allowed to pass through the
firewall.
Simple packet filter techniques require two firewall rules per connection.
● One rule for the query direction from the source to the destination.
● A second rule for the response direction from the destination to the source
Stateful Inspection Firewall

You only need to specify one firewall rule for the query direction from the source to the
destination. The second rule is added implicitly. The packet filter recognizes when, for
example, computer "A" is communicating with computer "B" and only then does it allow
replies. A query by computer "B" is therefore not possible without a prior request by
computer "A".

Technical basics
You configure the firewall in "Security > Firewall".
Note
IP packets via layer 2 (within the same VLAN)
If the IP packets from the device are sent via a switch port (layer 2), these IP packets are not
checked based on firewall rules. The firewall has no effect on packets forwarded at the layer
2 level.
Communication directions
from to Meaning
vlan x vlan x Access from IP subnet vlan x to IP subnet vlan x.
Example:
vlan1 (INT) → vlan2 (EXT)
Access from the local IP subnet to the external IP subnet.
ppp2 Access from the IP subnet to the WAN interface of the device.
Device Access from the IP subnet to the device.
SINEMA RC Access from the IP subnet to the SINEMA RC connection.
IPsec (all) Access from the IP subnet to the VPN tunnel partners that can be
IPsec <Connection reached via all VPN connections (all) or via a certain VPN connection
Name> <Connection Name>.
OpenVPN (all)
OpenVPN <Connec-
tion Name>
Device vlan x Access from the device to the IP subnet.
ppp2 Access from the device to the WAN interface of the device.
SINEMA RC Access from the device to the SINEMA RC connection.
IPsec (all) Access from the device to the tunnel partners that can be reached via all
IPsec <Connection VPN connections (all) or via a certain VPN connection (<Connection
Name> Name>).
OpenVPN (all)
OpenVPN <Connec-
tion Name>
SINEMA RC vlan x Access from SINEMA RC connections to the IP subnet.
ppp2 Access from the IP subnet to the WAN interface of the device.
Device Access from SINEMA RC connections to the device.
IPsec (all) Access from the SINEMA RC server to the VPN tunnel partners that can
IPsec <Connection be reached via all VPN connections (all) or via a certain VPN connection
Name> <Connection Name>.
OpenVPN (all)
OpenVPN <Connec-
tion Name>

Technical basics
from to Meaning
IPsec (all) vlan x Access via VPN tunnel partners to the IP subnet.
IPsec <Connection ppp2 Access from the IP subnet to the WAN interface of the device.
Name> Device Access via VPN tunnel partners to the device.
OpenVPN (all)
SINEMA RC Access via VPN tunnel partners to the SINEMA RC connection.
OpenVPN <Connec-
tion Name>
ppp0/usb vlan x Access from the mobile wireless interface to the IP subnet.
Device Access from the mobile wireless interface to the device.
SINEMA RC Access from the mobile wireless interface to the SINEMA RC connection.
IPsec (all) Access from the mobile wireless interface to the VPN tunnel partners that
IPsec <Connection can be reached via all VPN connections (all) or via a certain VPN con-
Name> nection <Connection Name>.
OpenVPN (all)
OpenVPN <Connec-
tion Name>
Firewall factory setting
Service Access
Local access (vlan1) to the External access (vlan2) to the
device device 1)
Cloud Connector (only with Yes -
M804PB)
DHCP Yes Yes (only for S615)
DNS Yes No
HTTP Yes No
HTTPS Yes No
IPsec VPN No Yes
Ping Yes No
SMS relay (only with M87x) Yes No
SNMP Yes No
SSH Yes No
System time Yes No
Telnet Yes No
1) SCALANCE M826 and M804PB are only available in vlan1 when delivered (factory setting).
Automatic firewall rules

Firewall rules are automatically created for the following functions:
● System > SINEMA RC
● Security > IPsec VPN> Phase 2
● Security > OpenVPN Client > Connection

Technical basics
SINEMA RC
● Telegrams from internal to external are permitted.
● Telegrams from external to internal are permitted.
● The following telegrams are allowed from external to the device:
– ICMP Echo Request
– SSH
– HTTPS
IPsec VPN
● Allow ICMP echo request from external to the device.
OpenVPN Client
● Telegrams from the device to external are permitted.
● Allow ICMP echo request from external to the device.

Technical basics
3.5.3 NAT
NAT (Network Address Translation) is a method of translating IP addresses in data packets.
With this, two different networks (internal and external) can be connected together.
A distinction is made between source NAT in which the source IP address is translated and
destination NAT in which the destination IP address is translated.
You will find information on NAT scenarios that are implemented with the device at the
following address: (https://support.industry.siemens.com/cs/gb/en/view/109744660)
IP masquerading
IP masquerading is a simplified source NAT. With each outgoing data packet sent via this
interface, the source IP address is replaced by the IP address of the interface. The adapted
data packet is sent to the destination IP address. For the destination host it appears as if the
queries always came from the same sender. The internal nodes cannot be reached directly
from the external network. By using NAPT, the services of the internal nodes can be made
reachable via the external IP address of the device.
IP masquerading can be used if the internal IP addresses cannot or should not be forwarded
externally, for example because the internal network structure should remain hidden.
You configure masquerading in "Layer 3" > "NAT" > "IP Masquerading (Page 247)".
NAPT
NAPT (Network Address and Port Translation) is a form of destination NAT and is often
called port forwarding. This allows the services of the internal nodes to be reached from
external that are hidden by IP masquerading or source NAT.
Incoming data packets are translated that come from the external network and are intended
for an external IP address of the device (destination IP address). The destination IP address
is replaced by the IP address of the internal node. In addition to address translation, port
translation is also possible.
The options are available for port translation:
from to Response
a single port the same port If the ports are the same, the frames will be forwarded without port
translation.
a single port a single port The frames are translated to the port.
a port range a single port The frames from the port range are translated to the same port
(n:1).
a port range the same port If the port ranges are the same, the frames will be forwarded with-
range out port translation.
Port forwarding can be used to allow external nodes access to certain services of the internal
network e.g. FTP, HTTP.
You configure NAPT in "Layer 3" > "NAT" > "NAPT (Page 247)".

Technical basics
Source NAT
As with masquerading, in source NAT the source address is translated. In addition to this,
the outgoing data packets can be restricted. These include limitation to certain IP addresses
or IP address ranges and limitation to certain interfaces.
Source NAT can be used if the internal IP addresses cannot or should not be forwarded
externally, for example because a private address range such as 192.168.x.x is used.
You configure source NAT in "Layer 3" > "NAT" > "Source NAT (Page 249)".
NETMAP
With NETMAP it is possible to translate complex subnets to a different subnet. In this
translation, the subnet part of the IP address is changed and the host part remains. For
translation with NETMAP only one rule is required. NETMAP can translate both the source
IP address and the destination IP address. To perform the translation with destination NAT
and source NAT, numerous rules would be necessary. NETMAP can also be applied to VPN
connections.
You configure NETMAP in "Layer 3" > "NAT" > "NETMAP (Page 252)".
3.5.4 NAT and firewall

The firewall and NAT router support the "Stateful Inspection" mechanism. If the IP data traffic
from internal to external is enabled, internal notes can initiate a communications connection
into the external network.
The reply frames from the external network can pass through the NAT router and firewall
without it being necessary for their addresses to be included extra in the firewall rule and the
NAT address translation. Frames that are not a reply to a query from the internal network are
discarded without a matching firewall rule.

Technical basics
NAT translation and firewall rules
Example of NAT translations
NAT rule
Type Source Destination Source IP Sub- Source IP Destination IP Translated destination
Interface Interface net translated subnet Subnet IP
① Source vlan1 vlan2 192.168.1.0/24 10.100.1.0/24 10.10.10.0/24 -
(internal) (external)
The rule applies to packets sent from vlan1 (internal) to vlan2 (external). With the packets that arrive at vlan1 there is a
check to establish whether the rule applies.
If the source IP address in the subnet of the sender (Source IP subnet) and the destination IP address in the subnet of
the recipient (Source IP subnet), the source IP address is replaced by the suitable IP address from the "Translated
source IP subnet". The subnet part of the source IP address is changed and the host part remains unchanged.
A packet, for example with the source IP address 192.168.1.102 is changed to 10.100.1.102. For the devices connect-
ed to vlan2 it appears as if the packets were sent from the IP subnet 10.100.1.0/24. This allows for example overlaps of
IP subnets to be resolved. The rule is only specified for the send direction. The retranslation is performed implicitly. If
the rule does not apply, the packets are forwarded without translation.
② Destina- vlan2 vlan1 10.10.10.0/24 - 10.100.1.0/24 192.168.1.0/24
tion (external) (internal)
The rule applies to packets sent from vlan2 (external) to vlan1 (internal). With the packets that arrive at vlan2 there is a
check to establish whether the rule applies.
If the source IP address in the subnet of the sender (Source IP subnet) and the destination IP address in the subnet of
the recipient (Source IP subnet), the source IP address is replaced by the suitable IP address from the "Translated
destination IP subnet".
A packet, for example with the source IP address 10.10.10.102 is changed to 192.168.1.102. The devices connected to
vlan1 can communicate with the devices connected to vlan2. This assumes that the corresponding firewall rule is set.
The devices connected to vlan2 must address the devices connected to vlan1 with the virtual IP address from the sub-
net 10.100.1.0.

Technical basics
Firewall rules for the NAT rules ① and ②

Example 1:
These IP rules allow the IP data traffic for all devices for the specified direction.
NAT IP rules Description

rule Action From To Source Destination Service
(Range) (Range)
① Accept vlan1 vlan2 192.168.1.0/24 10.10.10.0/24 all All packets sent from vlan1 (internal) to
(internal) (external) (Source IP (Destination IP vlan2 (external) are allowed to pass.
subnet) subnet) This IP packet filter rule applies to the
devices connected to vlan1.
② Accept vlan2 vlan1 192.168.1.0/24 10.100.1.0/24 all All packets sent from vlan2 (external)
(external) (internal) (Translated (Destination IP to vlan1 (internal) are allowed to pass.
Destination IP subnet)
Subnet)
Example 2:
These IP rules restrict the IP data traffic to a specific device.
NAT IP rules Description

rule Action From To Source (Range) Destination Service
(Range)
① Accept vlan1 vlan2 192.168.1.20/3 10.10.10.0/24 all Only packets sent to vlan2 (external)
(internal) (external) 2 (Destination IP from the IP address 192.168.1.20 are
(Source IP subnet) allowed to pass.
subnet)
② Accept vlan2 vlan1 192.168.1.20/3 10.100.1.0/24 all Only packets sent from vlan2 (exter-
(external) (internal) 2 (Destination IP nal) to the IP address 192.168.1.20
(Translated subnet) are allowed to pass.
Destination IP
Subnet)

Technical basics
3.5.5 Certificates
Certificate types
The device uses different certificates to authenticate the various nodes.
Certificate Is used in...

CA certificate The CA certificate is a certificate issued by a Certificate Authority from IPsec VPN (Page 298)
which the server, device and partner certificates are derived. To allow a
certificate to be derived, the CA certificate has a private key signed by the
certificate authority.
The key exchange between the device and the VPN gateway of the partner
takes place automatically when establishing the connection. No manual
exchange of key files is necessary.
Server certificate Server certificates are required to establish secure communication (e.g. SINEMA RC
HTTPS, VPN...) between the device and another network participant. The
server certificate is an encrypted SSL certificate. The server certificate is
derived from the oldest valid CA, even if this is "out of service". The crucial
thing is the validity date of the CA.
Device certificate Certificates with the private key (key file) with which the device identifies IPsec VPN (Page 298)
itself.
Partner certificate Certificates with which the VPN gateway of the partner identifies itself with IPsec VPN (Page 298)
the device.
File types
File type Description

*.crt File that contains the certificate.
*.p12 In the PKCS12 certificate file, the private key is stored with the corresponding certif-
icate and is password protected.
The CA creates a certificate file (PKCS12) for both ends of a VPN connection with
the file extension ".p12". This certificate file contains the public and private key of
the local station, the signed certificate of the CA and the public key of the CA.
*.pem Certificate and key as Base64-coded ASCII text.

Technical basics
3.5.6 VPN
The device supports the following VPN systems
● IPsec VPN
● OpenVPN
3.5.6.1 IPsec VPN

You configure the IPsec connections in "Security" > " IPsec VPN (Page 293)".
With IPsec VPN, the frames are transferred in tunnel mode. To allow the device to establish
a VPN tunnel, the remote network must have a VPN gateway as the partner.
For the VPN connections, the device distinguishes two modes:
● Roadwarrior mode
In this mode either the address of the partner is fixed or an IP range is entered from
which the connections are taken. The device learns the reachable remote subnets from
the partner.
● Standard mode
In this mode the address of the partner or the remote subnet is entered permanently. The
device can either establish the connection actively as a VPN client or wait passively for
connection establishment by the partner.

Technical basics
The IPsec method

The device uses the IPsec method in the tunnel mode for the VPN tunnel. Here, the frames
to be transferred are completely encrypted and provided with a new header before they are
sent to the VPN gateway of the partner. The frames received by the partner are decrypted
and forwarded to the recipient.
To provide security, the IPsec protocol suite uses various protocols:
● The IP Authentication Header (AH) handles the authentication and identification of the
source.
● The Encapsulation Security Payload (ESP) encrypts the data.
● The Security Association (SA) contains the specifications negotiated between the
partners, e.g. about the lifetime of the key, the encryption algorithm, the period for new
authentication etc.
● Internet Key Exchange (IKE) is a key exchange method. The key exchange takes place in
two phases:
– Phase 1
In this phase, no security services such as encryption, authentication and integrity
checks are available yet since the required keys and the IPsec SA still need to be
created. Phase 1 serves to establish a secure VPN tunnel for phase 2. To achieve
this, the communications partners negotiate an ISAKMP Security Association
(ISAKMP SA) that defines the required security services (algorithms, authentication
methods used). The subsequent messages and phase 2 are therefore secure.
– Phase 2
Phase 2 serves to negotiate the required IPsec SA. Similar to phase 1, exchanging
offers achieves agreement about the authentication methods, the algorithms and the
encryption method to protect the IP packets with IPsec AH and IPsec ESP.
The exchange of messages is protected by the ISAKMP SA negotiated in phase 1.
Due to the ISAKMP SA negotiated in phase 1, the identity of the nodes is known and
the method for the integrity check already exists.
Authentication method
● CA certificate, device and partner certificate (digital signatures)
The use of certificates is an asymmetrical cryptographic system in which every node
(device) has a pair of keys. Each node has a secret, private key and a public key of the
partner. The private key allows the device to authenticate itself and to generate digital
signatures.
● Pre-shared key
The use of a pre-shared key is a symmetrical cryptographic system. Each node has only
one secret key for decryption and encryption of data packets. The authentication is via a
common password.

Technical basics
Local ID and remote ID

The local ID and the remote ID are used by IPsec to uniquely identify the partners (VPN end
point) during establishment of a VPN connection.
Encryption methods
The following encryption methods are supported. The selection depends on the phase und
the key exchange method (IKE)
Phase 1 Phase 2
IKEv1 IKEv2 IKEv1 IKEv2
3DES x x x x
AES128 CBC x x x x
AES192 CBC x x x x
AES256 CBC x x x x
AES128 CTR - x x x
AES192 CTR - x x x
AES256 CTR - x x x
AES128 CCM 16 - x x x
AES128 GCM 16 - x x x
x: is supported
-: is not supported

Technical basics
Default Ciphers
During connection establishment a preset list can be transferred to the VPN connection
partners. The list contains combinations of the three algorithms (Encryption, Authentication,
Key Derivation). To establish a VPN connection, the VPN connection partner must support at
least one of these combinations. The combinations depend on the phase und the key
exchange method IKE).
Combination Phase 1 Phase 2

Encryption Authentication Key derivation IKEv1 IKEv2 IKEv1 IKEv2
AES128 SHA1 DH Group 14 x x x x
AES256 SHA512 DH Group 16 x x x x
AES128 CCM 16 SHA256 DH Group 14 - x x x
AES256 CCM 16 SHA512 DH Group 16 - x x x
AES128 SHA1 none - - x x
AES256 SHA512 none - - x x
AES128 CCM 16 SHA256 none - - x x
AES256 CCM 16 SHA512 none - - x x
x: Combination is part of the default cipher

-: Combination is not part of the default cipher
none: For phase 2, no separate keys are exchanged. This means that Perfect Forward Secrecy (PFS) is disabled.
Requirements of the VPN partner

The VPN partner must support IPsec with the following configuration to be able to establish
an IPsec connection successfully:
● Authentication with partner certificate, CA certificates or pre-shared key
● IKEv1 or IKEv2
● Support of at least one of the following DH groups: Diffie-Hellman group 1, 2, 5 and 14 -
18
● 3DES or AES encryption
● MD5, SHA1, SHA256, SHA384 or SHA512
● Tunnel mode
If the VPN partner is downstream from a NAT router, the partner must support NAT-T. Or,
the NAT router must know the IPsec protocol (IPsec/VPN passthrough).
NAT traversal (NAT-T)

There may be a NAT router between the device and the VPN gateway of the remote
network. Not all NAT routers allow IPsec frames to pass through. This means that it may be
necessary to encapsulate the IPsec frames in UDP packets to be able to pass through the
NAT router.

Technical basics
Dead peer detection

This is only possible when the VPN partner supports DPD. DPD checks whether the
connection is still operating problem free or whether there has been an interruption on the
line. Without DPD and depending on the configuration, it may be necessary to wait until the
SA lifetime has expired or the connection must be reinitiated manually. To check whether the
IPsec connection is still problem-free, the device itself sends DPD queries to the VPN
partner station. If the VPN partner station does not reply after a certain time has elapsed, the
connection to the VPN partner station will be declared invalid. You configure the settings for
DPD in phase 1.
3.5.6.2 OpenVPN
With OpenVPN, virtual private networks (VPN) can be established. As an OpenVPN client,
the device can establish a VPN connection to a remote network.
You configure the OpenVPN client in "Security" > " OpenVPN Client (Page 304)".
The VPN connection is established via virtual device drivers, the TAP and TUN device.
During this, virtual network interfaces are created that act like a physical interface of the
device and represent the endpoint of the VPN tunnel.
The device supports the following:
● TUN device: Routing mode
The LAN Interface and the virtual network interface are located in different IP subnets.
The virtual tunnel interface is assigned a virtual IP address from a devised subnet by the
OpenVPN server. The IP packets (layer 3) are routed between the virtual tunnel interface
and the LAN interface.
Authentication method
● Certificates: CA certificate and device certificate
The use of certificates is an asymmetrical cryptographic system. Each node (device) has
a secret, private key and a public key of the partner. The private key allows the device to
authenticate itself and to generate digital signatures.
● User name / password
Access is restricted by a user name and a password.
Encryption methods
The device also supports the following methods:
● BF CBC
● AES128 CBC
● AES192 CBC
● AES256 CBC
● DES EDE3

Technical basics
3.5.6.3 VPN connection establishment

The device supports the following options for establishing a VPN connection.
● OpenVPN: Security > OpenVPN > Connections (Page 305)
● IPsec VPN: Security > IPsec VPN > Connections (Page 296)
● SINEMA RC: System > SINEMA RC (Page 212)
Options Use Description

OpenVPN IPsec VPN SINEMA
RC 1)
start x x - The device is "active", in other words, it attempts to establish a
connection to a partner. The partner is addressed using its
configured WAN IP address or the configured FQDN.
wait - x - The device is "passive", in other words, it waits for the partner
to initiate the connection.
on demand - x - The device attempts to establish a connection to a partner
when necessary. The receipt of requests for VPN connection
establishment is also possible.
For the configured local and remote subnets, an entry is creat-
ed in the routing table. If a node attempts to send data packets
via the VPN tunnel from one of the networks, the VPN connec-
tion is established. The settable timeout has the effect that
after this time without any further data packets the VPN tunnel
is terminated again.
start on DI x x x Connection establishment is controlled via the digital input (DI).
Wait on DI - x -
Auto - - x The device adopts the settings of the SINEMA RC server. You
configure the settings on the SINEMA RC Server in "Remote
Connections > Devices". You will find further information on
this topic in the operating instructions "SINEMA RC Server".
Permanent - - x The device establishes a VPN connection to the SINEMA RC
Server. The VPN tunnel is established permanently
1) For SCALANCE S615: KEY-PLUG SINEMA REMOTE CONNECT required

Technical basics
Digital input (DI)

The establishment of the VPN tunnel can also be controlled via the digital input, e.g. using a
button. When the button is closed, voltage is applied to the digital input and the LED of the
digital input lights up. The lit LED indicates that signal 1 (TRUE / HIGH) is applied. Signal 1
triggers an event on the device with which the establishment of the VPN tunnel is controlled.
You will find information on connecting and the maximum current load in the operating
instructions of the devices.
Requirement
● In "System > Events > Configuration" for the "Digital Input" event "VPN Tunnel" is
activated.
If this setting is not activated, the event is not passed on to the VPN connection.
Options
The device supports the following options for controlling the VPN tunnel via the digital input:
● start on DI
If the event "Digital Input" occurs, the device becomes "active". The device tries to
establish a VPN connection to a remote station (OpenVPN, IPsec, SINEMA RC).
● Wait on DI
If the event "Digital Input" occurs, the device becomes "passive". The device waits for the
partner to initiate the connection.

Technical basics
Notification options
If the status of the digital input or a VPN tunnel (IPsec, OpenVPN, SINEMA RC) changes,
the device provides several options for notification on the "Events (Page 146)" page.
Type of Digital VPN Behavior if there is a status change

notification In tunnel
E-mail x x The device sends an e-mail. The e-mail contains the identification of the sending device,
a description of the cause of the alarm in plain language, and a time stamp.
Requirement:
• An SMTP server is set up.
• In "System > SMTP Client" the function is activated, a recipient and the IP address of
the SMTP server are configured.
Trap x x The device sends an SNMP trap.
Requirement:
• "SNMPv1 traps" is enabled in "System > Configuration".
• In "System > Configuration > Traps" a recipient is configured to which the device
sends the SNMP traps.
Log table x x The device writes an entry in the event log table. The content of the event log table is
displayed in "Information > Log Table".
Syslog x x The device writes an entry to the Syslog server.
Requirement:
• A Syslog server has been set up.
• In "System > Syslog Client" the function is activated and the IP address of the Syslog
server is configured.
Fault LED x - The fault LED lights up on the device.
Digital Input x x Controls the digital output or signals the status change with the "DO" LED.
A consumer can be connected to the digital output. You will find information on connect-
ing in the operating instructions of the devices. The consumer signals a status change.
Note
You can control the digital output directly via CLI or SNMP. In the WBM and CLI, you can
configure the use of the digital output in "Events". Do not control the digital output directly
when you use this in the WBM and CLI.

Technical basics
Type of Digital VPN Behavior if there is a status change

notification In tunnel
Read out x - Using the private MIB variable snMspsDigitalInputLevel, you can read out the status of
the status of the digital input.
the MIB
• OID of the private MIB variable snMspsDigitalInputLevel:
variable
iso(1).org(3).dod(6).internet(1).private(4).enterprises(1).siemens(432
9).industrialComProducts(20).iComPlatforms(1).simaticNet(1).snMsps(1).
snMspsCom-
mon(1).snMspsDigitalIO(39).snMspsDigitalIOObjects(1).snMspsDigitalInpu
tTable(2).snMspsDigitalInputEntry(1).snMspsDigitalInputLevel(6)
• values of the MIB variable
– 1: Signal 0 at the digital input (DI)
– 2: Signal 1 at the digital input (DI)

Technical basics
3.6 Redundancy
3.6 Redundancy
3.6.1 Spanning Tree
Avoiding loops on redundant connections

The spanning tree algorithm allows network structures to be created in which there are
several connections between two IE switches / bridges. Spanning tree prevents loops being
formed in the network by allowing only one path and disabling the other (redundant) ports for
data traffic. If there is an interruption, the data can be sent over an alternative path. The
functionality of the spanning tree algorithm is based on the exchange of configuration and
topology change frames.
Definition of the network topology using the configuration frames

The devices exchange configuration frames known as BPDUs (Bridge Protocol Data Units)
with each other to calculate the topology. The root bridge is selected and the network
topology created using these frames. BPDUs also bring about the status change of the root
ports.
The root bridge is the bridge that controls the spanning tree algorithm for all involved
components.
Once the root bridge has been specified, each device sets a root port. The root port is the
port with the lowest path costs to the root bridge.
Response to changes in the network topology

If nodes are added to a network or drop out of the network, this can affect the optimum path
selection for data packets. To be able to respond to such changes, the root bridge sends
configuration messages at regular intervals. The interval between two configuration
messages can be set with the "Hello Time" parameter.
Keeping configuration information up to date

With the "Max Age" parameter, you set the maximum age of configuration information. If a
bridge has information that is older than the time set in "Max Age", it discards the message
and initiates recalculation of the paths.
New configuration data is not used immediately by a bridge but only after the period
specified in the "Forward Delay" parameter. This ensures that operation is only started with
the new topology after all the bridges have the required information.

Technical basics
3.6 Redundancy
3.6.1.1 RSTP
Rapid Spanning Tree Protocol (RSTP)

One disadvantage of STP is that if there is a disruption or a device fails, the network needs
to reconfigure itself: The devices start to negotiate new paths only when the interruption
occurs. This can take up to 30 seconds. Fur this reason, STP was expanded to create the
"Rapid Spanning Tree Protocol" (RSTP, IEEE 802.1w). This differs from STP essentially in
that the devices are already collecting information about alternative routes during normal
operation and do not need to gather this information after a disruption has occurred. This
means that the reconfiguration time for an RSTP controlled network can be reduced to a few
seconds.
This is achieved by using the following functions:
● Edge ports (end node port)
Edge ports are ports connected to an end device.
A port that is defined as an edge port is activated immediately after connection
establishment. If a spanning tree BPDU is received at an edge port, the port loses its role
as edge port and it takes part in (R)STP again. If no further BPDU is received after a
certain time has elapsed (3 x hello time), the port returns to the edge port status.
● Point-to-point (direct communication between two neighboring devices) 
By directly linking the devices, a status change (reconfiguration of the ports) can be made
without any delays.
● Alternate port (substitute for the root port)
 A substitute for the root port is configured. If the connection to the root bridge is lost, the
device can establish a connection over the alternate port without any delay due to
reconfiguration.
● Reaction to events
 Rapid spanning tree reacts to events, for example an aborted connection, without delay.
There is no waiting for timers as in spanning tree.
● Counter for the maximum bridge hops
The number of bridge hops a package is allowed to make before it automatically
becomes invalid.
In principle, therefore with rapid spanning tree, alternatives for many parameters are
preconfigured and certain properties of the network structure taken into account to reduce
the reconfiguration time.

Technical basics
3.6 Redundancy
3.6.2 VRRPv3
Router redundancy with VRRPv3

With the Virtual Router Redundancy Protocol v3 (VRRPv3), the failure of a router in a
network can be countered. Version 3 of VRRP (RFC 5798) is based on version 2 (RFC
5798).
VRRP can only be used with virtual IP interfaces (VLAN interfaces).
Several VRRP routers in a network segment are put together as a logical group representing
a virtual router (VR). The group is defined using the virtual ID (VRID). Within the group, the
VRID must be the same. The VRID can no longer be used for other groups.
The virtual router is assigned a virtual IP address and a virtual MAC address. One of the
VRRP routers within the group is specified as the master router. The master router has
priority 255. The other VRRP routers are backup routers. The master router assigns the
virtual IP address and the virtual MAC address to its network interface. The master router
sends VRRP packets (advertisements) to the backup routers at specific intervals. With the
VRRP packets, the master router signals that it is still functioning. The master router also
replies to the ARP queries.
If the virtual master router fails, a backup router takes over the role of the master router. The
backup router with the highest priority becomes the master router. If the priority of the
backup routers is the same, the higher MAC address decides. The backup router becomes
the new virtual master router.
The new virtual master router adopts the virtual MAC and IP address. This means that no
routing tables or ARP tables need to be updated. The consequences of a device failure are
therefore minimized.
You configure VRRP in "Layer 3 > VRRPv3".

Technical basics
3.6 Redundancy

Configuring with Web Based Management 4
4.1 Web Based Management
How it works
The device has an integrated HTTP server for Web Based Management (WBM). If a device
is addressed with a Web browser, it returns HTML pages to the Admin PC depending on the
user input.
The user enters the configuration data in the HTML pages sent by the device. The device
evaluates this information and generates reply pages dynamically.
Access via HTTPS is enabled in the factory setting. With access via HTTP, the address is
automatically redirected to HTTPS.
If you wish to access the WBM via an HTTP connection, you need to select "HTTP &
HTTPS" for "HTTP Services" in "System > Configuration".
Requirements
WBM display
● The device has an IP address.
● There is a connection between the device and the Admin PC.
With the Windows ping command, you can check whether or not a connection exists.
If the device has the factory settings, refer to "Requirements for operation (Page 18)".
● Access via HTTPS is enabled.
● JavaScript is activated in the Web browser.
● The Web browser must not be set so that it reloads the page from the server each time
the page is accessed. The updating of the dynamic content of the page is ensured by
other mechanisms.
In the Internet Explorer, you can make the appropriate setting in the "Options > Internet
Options > General" menu in the section "Browsing history" with the "Settings" button.
Under "Check for newer versions of stored pages:", select "Automatically".

Configuring with Web Based Management
4.1 Web Based Management
● If a firewall is used, the relevant ports must be opened.

– For access using HTTPS: TCP port 443
● The display of the WBM was tested with the following desktop Web browsers:
– Microsoft Internet Explorer 11
Note
Compatibility view
In Microsoft Internet Explorer, disable the compatibility view to ensure correct display
and to allow problem-free configuration using WBM.
– Mozilla Firefox 57
– Google Chrome V62

4.2 Starting and logging in
Establishing a connection to a device

Follow the steps below to establish a connection to a device using an Internet browser:
1. There is a connection between the device and the Admin PC. With the ping command,
you can check whether or not a device can be reached.
2. In the address box of the Internet browser, enter the IP address or the URL of the device.
Access via HTTPS is enabled as default. If you access the device via HTTP, the address
is automatically diverted to HTTPS.
A message relating to the security certificate appears. Acknowledge this message and
continue loading the page.
Note
Information on the security certificate
Because the device can only be administered using encrypted access, it is delivered with
a self-signed certificate. If certificates with signatures that the operating system does not
know are used, a security message is displayed. You can display the certificate.
3. If there is a connection to the device, the login page of Web Based Management (WBM)
is displayed.
If you wish to access the WBM via an HTTP connection, configure "HTTP & HTTPS" for
"HTTP Services" in "System > Configuration".

Changing language
1. From the drop-down list at the top right, select the language version of the WBM pages.
2. Click the "Go" button to change to the selected language.
Default Login Page

Under "System > Configuration > Default Login Page", you can define which login page is
opened by default.
You can change the type of login via the "Switch to..." links.
To log in, you have the following options:
● Login option in the center of the browser window.
● Login option in the upper left area of the browser window

Logging in to WBM
1. "Name" input box:
– When you log in for the first time or following a "Restore Factory Defaults and Restart",
enter the user preset in the factory "admin".
With this user account, you can change the settings of the device (read and write
access to the configuration data).
– Enter the user name of the created user account. You configure local user accounts
and roles in "Security > Users".
2. "Password" input box:
– When you log in for the first time or following a "Restore Factory Defaults and Restart",
enter the password of the default user preset in the factory "admin": "admin".
– Enter the password of the relevant user account.
3. Click the "Login" button or confirm your input with "Enter".
Note
When you log in for the first time or following a "Restore Factory Defaults and Restart",
you can rename the "admin" user preset in the factory once. Afterwards, renaming
"admin" is no longer possible. Enter the new name in the corresponding input box.
When you log in for the first time or following a "Restore Factory Defaults and Restart",
you will be prompted to change the password.
The new password must meet the password policy "High":
– Password length: At least 8 characters, maximum 128 characters
– At least 1 uppercase letter
– At least 1 special character (special characters § and ß are not permitted)
– At least 1 number
You need to repeat the password as confirmation. The password entries must match.
4. Click the "Set Values" button to complete the action.
The changes take immediate effect. Access via DCP is write-protected after the admin
password is changed. The network parameters can be read with the Primary Setup Tool
or with "DCP Discovery", but can no longer be changed.
Once you have logged in successfully, the start page appears.

Logging into the WBM page for user-specific firewall

Requirement
● The user has the right to remote access. You configure the setting "Security > Users >
Local users".
● A rule set is assigned to the user.
You can find more information on this in the "User-defined firewall" Getting Started.
Procedure
1. If the login page is not set by default for the user-specific firewall, click the link "Switch to
firewall login".
2. Enter the user name of the created user account. You configure local user accounts and
roles in "Security > Users".
3. Enter the password of the relevant user account.
4. Click the "Login" button or confirm your input with "Enter".
After successful login, the WBM page "User-defined firewall information" opens. The
current rule set and the remaining time are displayed. If needed, the user can extend the
access time via the "Reset Timeout" button.

4.3 "Wizard" menu
4.3 "Wizard" menu
4.3.1 Basic Wizard
Introduction
With the Basic Wizard, menus guide you through the configuration of the most important
parameters. On the Basic Wizard pages, you can only configure the parameters important
for the basic functionality. You make further settings when you have finished with the Basic
Wizard.
Requirement
● The device has an IP address and can be reached via the Ethernet interface.
● You are logged on in the WBM as a user with administrator rights.
● When shipped or following a "Restore Factory Defaults and Restart" the device can be
reached with the values preset in the factory. For more detailed information, refer to the
section "Requirements for operation (Page 18)".
Starting the Basic Wizard

Click on "Wizard > Basic Wizard" in the navigation area to start the Basic Wizard.
If you log in the first time or log on after a "Restore Factory Defaults and Restart", the Basic
wizard is started automatically after you have changed the default password.
Buttons you require often

The WBM pages of the Basic Wizard contain the following buttons:
Button Description
Goes to the next page
Goes back to the previous page
The Basic Wizard is closed without adopting the settings.
Saves the configuration and exits the Basic Wizard.
Navigation within the pages of the Basic Wizard is possible only with the "Previous" and
"Next" buttons.

4.3 "Wizard" menu
4.3.2 IP
Introduction
One of the basic steps in configuration of a device is setting the IPv4 address. The IP
address identifies a device in the network uniquely.

4.3 "Wizard" menu
Description
The Basic Wizard page contains the following boxes:
● Internal (vlan1)
In this area make the settings for connection to the LAN.
– IP Address
Enter the IPv4 address of the interface that is unique within your network.
– Subnet Mask
Enter the subnet mask of the subnet you are creating.
● External (vlan2)
In this area make the settings for connection to the WAN.
– DHCP
When enabled the interface receives the IPv4 address from a DHCP server.
– IP Address
Enter the IPv4 address of the interface.
– Subnet Mask
Enter the subnet mask of the subnet you are creating. Subnets on different interfaces
must not overlap.
– DHCP (Gateway)
If the DHCP server transmits an IP address for a gateway, this is displayed here.
● Create new gateway
You define the gateway in this area.
– IP Address
Enter the IP address of the default gateway to be able to communicate with devices in
another subnet.

4.3 "Wizard" menu
4.3.3 Device
Introduction
On this Basic Wizard page, you configure the general device information.

4.3 "Wizard" menu
Description
● System Name
You can enter the name of the device. If you configure this box, this configuration is
adopted and displayed in the selection area. A maximum of 255 characters are possible.
The system name is also displayed in the CLI input prompt. The number of characters in
the CLI input prompt is limited. The system name is truncated after 16 characters.
● Device Location
You can enter the location where the device is installed. The location is displayed in the
selection area. A maximum of 255 characters are possible.
Note
Permitted characters
The following printable ASCII characters (0x20 to 0x7) are permitted in the input fields:
• 0123456789
• A...Z a...z
• !"#$%&'()*+,-./:;<=>?@ [\]_{|}~^`
● System Contact
You can enter a contact person responsible for managing the device. A maximum of 255
characters are possible.

4.3 "Wizard" menu
4.3.4 Time Settings
Time setting
On this Basic Wizard page, you set the date and time of the system.
Description
Manual time setting:
● Time Manually
Enable or disable manual setting of the time. If you enable the option, the "System Time"
input box can be edited.
● System Time
Enter the date and time in the format "MM/DD/YYYY HH:MM:SS".
After a restart, the time of day begins at 01/01/2000 00:00:00
● Use PC Time
Click the button to use the time setting of the PC.

4.3 "Wizard" menu
Automatic time-of-day setting with NTP

● NTP Client
Enable or disable time synchronization using NTP.
● Secure NTP Client only
When enabled, the device receives the system time from a secure NTP server. The
setting applies to all server entries.
To enable the secure NTP client, the parameters for authentication (key ID, hash
algorithm, key) must be configured.
● Time Zone
In this box, enter the time zone you are using in the format "+/- HH:MM". The time zone
relates to UTC standard world time. Settings for daylight-saving and standard time are
taken into account in this box by specifying the time offset.
In the table, configure the NTP server
● Select
Select the row you want to delete.
● NTP Server Index
Number corresponding to a specific NTP server entry.
● NTP Server Address
Enter the IP address, the FQDN (Fully Qualified Domain Name) or the host name of the
NTP server.
● NTP Server Port
Enter the port of the NTP server.
The following ports are possible:
– 123 (standard port)
– 1025 to 36564
● Poll Interval
Specify the interval between two-time queries. The greater the interval, the less accurate
the time of the device.
Possible values are 64 to 2592000 seconds (30 days).
● Key ID
Enter the ID of the authentication key.
● Hash Algorithm
Specify the format for the authentication key.
● Key
Enter the authentication key.

4.3 "Wizard" menu
4.3.5 DDNS
On this Basic Wizard page, you configure the dynamic DNS client (DDNS client). The DDNS
client synchronizes the assigned IP address with the hostname registered at the DDNS
provider. This means that the device can always be reached using the same hostname.
Description
The table has the following columns:
● Service
Shows which providers are supported.
● Enabled
When enabled, the device logs on to the DDNS server.
● Host
Enter the hostname that you have agreed with your DDNS provider for the device, e.g.
example.no-ip-com.
● User Name
Enter the user name with which the device logs on to the DDNS server.
● Password
Enter the password assigned to the user.
● Password Confirmation
Confirm the password.

4.3 "Wizard" menu
4.3.6 SINEMA RC
On this Basic Wizard page, you configure the access to the SINEMA RC server.
Note
This function can only be used with a KEY PLUG (Page 25).

4.3 "Wizard" menu
Description
● Enable SINEMA RC
– Enabled:
A connection to the configured SINEMA RC Server is established. These boxes
cannot be edited.
– Disabled:
The boxes can be edited. Any existing connection is terminated.
"Server settings" area
● SINEMA RC Address
Enter the IPv4 address or the DNS host name of the SINEMA RC Server.
● SINEMA RC Port
Enter the port via which the SINEMA RC Server can be reached.
"Server Verification" area
● Verification Type
– Fingerprint: The identity of the server is verified based on the fingerprint.
– CA certificate: The identity of the server is verified based on the CA certificate.
● Fingerprint
Only necessary with the setting "Fingerprint". Enter the fingerprint of the device. The
fingerprint is assigned during commissioning of the SINEMA RC Server. Based on the
fingerprint, the device checks whether the correct SINEMA RC Server is involved. You
will find further information on this in the Operating Instructions of the SINEMA RC
Server.
● CA Certificate
Only necessary with the setting "CA Certificate". Select the CA certificate of the server
used to sign the server certificate. Only loaded CA certificates can be selected.
"Device Credentials" area
● Device ID
Enter the device ID. The device ID is assigned when configuring the device on the
SINEMA RC Server. You will find further information on this in the Operating Instructions
of the SINEMA RC Server.
● Device Password
Enter the password with which the device logs on to the SINEMA RC Server. The
password is assigned when configuring the device on the SINEMA RC Server. You will
find further information on this in the Operating Instructions of the SINEMA RC Server.
● Device Password Confirmation
Repeat the password.

4.3 "Wizard" menu
"Optional Settings" area

● Auto Firewall/NAT Rules
– Enabled
The firewall and NAT rules are created automatically for the VPN connection. The
connections between the configured exported subnets and the subnets that can be
reached via the SINEMA RC Server are allowed. The NAT settings are implemented
as configured in the SINEMA RC Server.
– Disabled
You will need to create the firewall and NAT rules yourself.
● Type of connection
Specify the type of VPN connection. For more detailed information, refer to the section
"VPN connection establishment".
– Auto
The device adopts the settings of the SINEMA RC server. You configure the settings
on the SINEMA RC Server in "Remote Connections > Devices". You will find further
information on this topic in the operating instructions "SINEMA RC Server".
– Permanent
The settings of the SINEMA RC server are ignored. The device establishes a VPN
connection to the SINEMA RC Server. The VPN tunnel is established permanently
– Digital Input
The settings of the SINEMA RC server are ignored. If the "Digital In" event occurs, the
device attempts to establish a VPN connection to the SINEMA RC Server. This is on
the condition that the event "Digital In" is forwarded to the VPN connection. To do this
in "System > Events > Configuration" activate "VPN Tunnel" for the "Digital In" event.
● Use Proxy
Specify whether a connection to the defined SINEMA RC Server is established via a
proxy server. Only the proxy servers can be selected that you configured in "System >
Proxy Server".
● Autoenrollment Interval [min]
Specify the period of time in minutes after which queries are sent to the SINEMA RC
server.. With these queries, the device checks whether there is a newer firmware file on
the SINEMA RC server.
If you enter the value 0, this function is disabled.
4.3.7 Summary
Introduction
The settings are summarized on this page. The content of the page depends on the set
parameters and the device.

4.3 "Wizard" menu
Check the settings before you exit the Basic Wizard with the "Set Values" button. If settings
are incorrect, go back using the "Prev" button and change the settings to the required ones.
Set Values
Click the "Set Values" button to exit the Basic Wizard. The settings are adopted.

4.4 "Information" menu
4.4.1 Start Page
View of the Start page

When you enter the IP address of the device, the start page is displayed after a successful
login.
General layout of the WBM page

The following areas are available on every WBM page:
● Selection area (1): Top area
● Display area (2): Top area
● Navigation area (3): Left-hand area
● Content area (4): Middle area


Selection area (1)

The following is available in the selection area:
● Logo of Siemens AG
When you click on the logo, you arrive at the Internet page of the corresponding basic
device in Siemens Industry Online Support.
● Display of: "System Location / System Name"
– "System Location" contains the location of the device.
With the settings when the device ships, the IP address of the device is displayed.
– "System Name" is the device name.
With the settings when the device ships, the device type is displayed.
You can change the content of this display with "System > General > Devices".
● Drop-down list for language selection
● System time and date
You can change the content of this display with "System > System Time".
If the system time is not set, the status is . If the system time is configured, but the
system time cannot be synchronized, a yellow warning triangle can be seen. Check
whether the time server can be reached. If necessary adapt your configuration. If the
system time is set and/or can be synchronized, the status is .
Display area (2)

In the left-hand part of the display area, the full title of the currently selected menu item is
always displayed.
● LED simulation
Each device has one or more LEDs that provide information on the operating state of the
device. Depending on its location, direct access to the device may not always be
possible. Web Based Management therefore displays simulated LEDs. The meaning of
the LED displays is described in the operating instructions.
If you click this button, you open the window for the LED simulation. You can show this
window during a change of menu and move it as necessary. To close the LED simulation,
click the close button in the LED simulation window.
● Help
When you click this button, the help page of the currently selected menu item is opened
in a new browser window.
● Printer
When you click this button, a pop-up window opens with a view of the page content
optimized for the printer.

● Favorites
When the product ships, the button is disabled on all pages .
If you click this button, the symbol changes and the currently open page or currently
open tab is marked as favorite. Once you have enabled the button once, the navigation
area is divided into two tabs. The first tab "Menu" contains all the available menus as
previously. The second tab "Favorites" contains all the pages/tabs that you selected as
favorites. On the "Favorites" tab the pages/tabs are arranged according to the structure in
the "Menu" tab.
If you disable all the favorites you have created, the "Favorites" tab is removed again.
You can save, upload and delete the favorites configuration of a device on the "System >
Load&Save" page using HTTP or TFTP.
● Update on / Update off
WBM pages with overview lists can also have the additional "Update" button.
With this button, you can enable or disable updating of the content area. If updating is
turned on, the display is updated every 2 seconds. To disable the update, click "On".
Instead of "On", "Off" is displayed. As default, updating is always enabled on the WBM
page.
Navigation area (3)

In the navigation area, you have various menus available. Click the individual menus to
display the submenus. The submenus contain pages on which information is available or
with which you can create configurations. These pages are always displayed in the content
area.
Content area (4)

In the navigation area, click a menu to display the pages of the WBM in the content area.
The following is displayed below the picture of the device:
● System Name: System name of the device
● Device Type: The type of the device
● PLUG Configuration:
Shows the status of the configuration data on the PLUG, refer to the section "System >
PLUG > Configuration".
● PLUG License:
Shows the status of the license on the PLUG, refer to the section "System > PLUG >
License".
● Connection Status: Status of the connection
● Signal Strength [dBm] (only with M87x): Signal strength of the connection

● DDNS Status
If a dynamic DNS service is used, the host name of the device is displayed, e.g.
example.no-ip.com. The status of the update is also displayed.
– update successful
Update successful
– update failed
Update unsuccessful
– status unknown
Status unknown
● Fault Status Fault status of the device
Buttons you require often

The WBM pages contain the following standard buttons:
● Refresh the display with "Refresh"
WBM pages that display current parameters have a "Refresh" button at the lower edge of
the page. Click this button to request up-to-date information from the device for the
current page.
Note
If you click the "Refresh" button, before you have transferred your configuration changes
to the device using the "Set Values" button, your changes will be deleted and the
previous configuration will be loaded from the device and displayed here.
● Save entries with "Set Values"

WBM pages in which you can make configuration settings have a "Set Values" button at
the lower edge. The button only becomes active if you change at least one value on the
page. Click this button to save the configuration data you have entered on the device.
Once you have saved, the button becomes inactive again.
Note
Changing configuration data is possible only with the "admin" role.
Note
The changes take immediate effect. But it takes some time for the changes in the
configuration to be stored.
● Create entries with "Create"

WBM pages in which you can make new entries have a "Create" button at the lower
edge. Click this button to create a new entry.
● Delete entries with "Delete"
WBM pages in which you can delete entries have a "Delete" button at the lower edge.
Click this button to delete the previously selected entries from the device memory.
Deleting also results in an update of the page in the WBM.
● Page down with "Next"
On WBM pages with a lot of data records the number of data records that can be

displayed on a page is limited. Click the "Next" button to page down through the data
records.
● Page back with "Prev"
On WBM pages with a lot of data records, the number of data records that can be
displayed on a page is limited. Click the "Prev" button to page back through the data
records.
● Delete the display with "Clear"
In pages with sequence logs, you can delete all table entries at the same time regardless
of whether filters are selected. The display is cleared in this process. The restart counter
is only reset after you have restored the device to the factory settings and restarted the
device.
Click the "Clear" button to completely delete the data record.
● Button "Show all"
You can show all entries in pages with a large number of data records. Click "Show all" to
display all entries on the page. Note that displaying all messages can take some time.
● Drop-down list for page change
In pages with a large number of data records, you can navigate to the desired page.
From the drop-down list, select the relevant page to display it.
● "Reset Counters" button
Click "Reset Counters" to reset all counters. The counters are reset by a restart.
Logout
You can log out from any WBM page by clicking the "Logout" link.
Messages
If you have enabled the "Automatic Save" mode and you change a parameter the following
message appears in the display area "Changes will be saved automatically in x seconds.
Click 'Write Startup Config' to save the changes immediately."
Note
Interrupting the save
Saving starts only after the timer in the message has elapsed. How long saving takes
depends on the device.
During the save, the message "Saving configuration data in progress. Please do not switch
off the device" is displayed.
• Do not switch off the device immediately after the timer has elapsed.

4.4.2 Versions
This WBM page shows the versions of the hardware and software of the device.
Description
Table 1 has the following columns:
● Hardware
– Basic Device
Shows the basic device
● Name
Shows the name of the device.
● Revision
Shows the hardware version of the device.
● Order ID
Shows the article number of the device.
● Software
– Firmware
Shows the current firmware version. If a new firmware file was downloaded and the
device has not yet restarted, the firmware version of the downloaded firmware file is
displayed here. After the next restart, the loaded firmware is activated and used.
– Bootloader
Shows the version of the boot software stored on the device.
– Firmware_Running
Shows the firmware version currently being used on the device.
● Description
Shows the short description of the software.
● Version
Shows the version number of the software version.
● Date
Shows the date on which the software version was created.

4.4.3 Identification & Maintenance
Identification and Maintenance data

This page contains information about device-specific vendor and maintenance data such as
the order number, serial number, version number etc. You cannot configure anything on this
page.
Description of the displayed values

The table has the following rows:
● Manufacturer ID
Shows the manufacturer ID.
● Order ID
Shows the order ID.
● Serial Number
Shows the serial number.
● Hardware Revision
Shows the hardware version.
● Software Revision
Shows the software version.
● Revision Counter
Regardless of a version change, this box always displays the value "0".
● Revision Date
Date and time of the last revision
● Function tag
Shows the function tag (plant designation) of the device. The plant designation (HID) is
created during configuration of the device with HW Config of STEP 7.

● Location tag
Shows the location tag of the device. The location identifier (LID) is created during
configuration of the device with HW Config of STEP 7.
● Date
Shows the date created during configuration of the device with HW Config of STEP 7.
● Descriptor
Shows the description created during configuration of the device with HW Config of
STEP 7.
4.4.4 ARP Table
Assignment of MAC address and IP address

With the Address Resolution Protocol (ARP), there is a unique assignment of MAC address
to IP address. This assignment is kept by each network node in its own separate ARP table.
The WBM page shows the ARP table of the device.
Description
● Interface
Shows the interface via which the row entry was learnt.
● MAC Address
Shows the MAC address of the destination or source device.
● IP Address
Shows the IPv4 address of the destination device.
● Media Type
Shows the type of connection.
– Dynamic
The device recognized the address data automatically.
– Static
The addresses were entered as static addresses.

4.4.5 Log Tables
4.4.5.1 Event log
Logging events
The WBM page shows the system events that have occurred in the form of a table. Some of
the system events can be configured in "System > Events", for example if the connection
status of a port has changed.
The content of the table is retained even when the device is turned off. The event log file can
be loaded using HTTP, TFTP or SFTP.
Description
● Severity Filters
You can filter the entries in the table according to severity. To display all the entries,
enable or disable all parameters.

Note
For each severity, a maximum of 400 entries in the table are possible. If the maximum
number of entries is reached for a severity, the oldest entries of this severity are
overwritten in the table. The table remains permanently in the memory.
– Critical
Critical
When this parameter is enabled, all entries of the category "Critical" are displayed.
– Warning
warning
When this parameter is enabled, all entries of the category "Warning" are displayed.
– Info
Informative
When this parameter is enabled, all entries of the category "Info" are displayed.
● Restart
Counts the number of restarts since you last reset to factory settings and shows the
device restart after which the corresponding event occurred.
● System Up Time
Shows the time the device has been running since the last restart when the described
event occurred.
● System Time
Shows the date and time when the described event occurred. If no system time is set, the
box displays "Date/time not set".
● Severity
Sorts the entry into the categories above.
● Log Message
Displays a brief description of the event that has occurred.

4.4.5.2 Security Log

The WBM page shows the events that occurred during communication via a secure VPN
tunnel in the form of the table.

Description
Note
– Critical
Critical
– Warning
warning
– Info
Informative
● Restart
● System Up Time
event occurred.
● System Time
● Severity
● Log Message

4.4.5.3 Firewall Log

The firewall log logs the events that occurred on the firewall. When you create firewall rules,
you can specify the event severity with which they are logged.
Description
Note
– Critical
Critical
– Warning
warning
– Info
Informative


● Restart
● System Up Time
event occurred.
● System Time
● Severity
● Log Message
4.4.6 Faults
Error status
if an error occurs, it is shown on this page. On the device, errors are indicated by red fault
LED lighting up.
Internal errors of the device and errors that you configure on the following pages are
indicated:
● "System > Events"
● "System" > Fault Monitoring"
The calculation of the time of an error always begins after the last system start. If there are
no errors present, the fault LED switches off.

Description
● No. of Signaled Faults
Indicates how often the fault LED lit up and not how many faults occurred.
● Reset Counters button
The number is reset with this button. The counter is reset when there is a restart.
The table contains the following columns:
● Fault Time
Shows the time the device has been running since the last system restart when the
described error/fault occurred.
● Fault Description
Displays a brief description of the fault/error that has occurred.
● Clear Fault State
Some faults can be acknowledged and thus removed from the fault list, e.g. a fault of the
event "Cold/Warm Start". If the "Clear Fault State" button is enabled, you can delete the
error.
4.4.7 DHCP Server

This page shows whether IPv4 addresses were assigned to the devices by the DHCP
server.

● IP Address
Shows the IPv4 address assigned to the DHCP client.
● Pool ID
Shows the number of the IPv4 address band.

● Identification Method
Shows the method with which the DHCP client is identified.
– Remote ID
Shows the remote ID of the DHCP client.
– Circuit ID
Shows the circuit ID of the DHCP client.
– DUID
Shows the DUID of the DHCP client.
● Identification Value
Shows the value that is assigned to the identification method.
● Allocation Method
Shows whether the IPv4 address was assigned statically or dynamically. You configure
the static entries in "System > DHCP > Static Leases".
● Binding State
Shows the status of the assignment.
– Associated
The assignment is used.
– not used
The assignment is not used.
– probing
The assignment is being checked.
– unknown
The status of the assignment is unknown.
● Expire Time
Shows how long the assigned IPv4 address is still valid. When half the period of validity
has elapsed. the DHCP client can extend the period of the assigned IPv4 address. When
the entire time has elapsed, the DHCP client needs to request a new IPv4 address.
4.4.8 SNMP
This page displays the created SNMPv3 groups. You configure the SNMPv3 groups in
"System > SNMP".

Description
● Group Name
Shows the group name.
● User Name
Shows the user that is assigned to the group.
4.4.9 LLDP
Status of the neighborhood table

This page shows the current content of the neighborhood table. This table stores the
information that the LLDP agent has received from connected devices.
You set the interfaces via which the LLDP agent receives or sends information in the
following section: "Layer 2 > LLDP".
Description
● System Name
Displays the system name of the connected device.
● Device ID
Shows the device ID of the connected device. The device ID corresponds to the device
name assigned via PST (STEP 7). If no device name is assigned, the MAC address of
the device is displayed.
● Local Interface
Shows the port at which the device received the information.

● Hold Time
An entry remains stored on the device for the time specified here. If the IE switch does
not receive any new information from the connected device during this time, the entry is
deleted.
● Capability
Shows the properties of the connected device:
– Router
– Bridge
– Telephone
– DOCSIS Cable Device
– WLAN Access Point
– Repeater
– Station
– Other
● Port ID
Shows the port of the device with which the device is connected.
4.4.10 Routing Table
Introduction
This page shows the routes currently being used.
Description
● Destination Network
Shows the destination address of this route.
● Subnet Mask
Shows the subnet mask of this route.

● Gateway
Shows the gateway for this route.
● Interface
Shows the interface for this route.
● Metric
Shows the metric of the route. The higher value, the longer packets require to their
destination.
● Routing Protocol
Shows the routing protocol from which the entry in the routing table originates. The
following entries are possible:
– Connected: Connected routes
– Static: Static routes
– DHCP: Routes via DHCP

4.4.11 IPsec VPN

The WBM page shows the status of the activated VPN connections.

This table contains the following columns:
● Name
Shows the name of the VPN connection.
● Local Host
Shows the IP address of the device.
● Local DN
Shows the Distinguished Name (DN) of the device that was signaled to the remote station
during connection establishment. The entry is adopted from the "Local ID" box, the device
certificate or the IP address of the device.
● Local Subnet
Shows the local subnet.
● Remote Host
Shows the IP address or the host name of the remote device.
● Remote DN
Shows the Distinguished Name (DN) signaled by the remote device during connection
establishment.
● IRemote Subnet
Shows the remote subnet.
● Rekey Time
Shows when the validity of the key expires.
● Status
Shows the status of the VPN connection.

4.4.12 SINEMA RC
Shows information on SINEMA RC Server.
Note
This function can only be used with a KEY PLUG.

● Status
Shows the status of the SINEMA RC Server connection.
● Device Name
If configured, the name of the device is displayed.
● Device Location
If configured, the location of the device is displayed.

● GSM Number
If configured, the phone number of the device is displayed.
● Vendor
If configured, the entry is displayed.
● Comment
If configured, the comment is displayed.
● Type of Connection (Server)
Shows which type of connection is set on the SINEMA RC Server.
● Type of Connection (Device)
Shows which type of connection is set on the device.
● Fingerprint
Shows the fingerprint of the server certificate. Is only displayed when the fingerprint is
used for verification.
● Remote Address
Shows the IP address of the SINEMA RC Server.
● Connected Local Subnet(s)
Shows the IP addresses of the local subnets. Is only displayed when the option
"Connected local subnets" is enabled on the SINEMA RC Server. You will find further
information on this in the Operating Instructions of the SINEMA RC Server.
● Connected Local Host (s)
Shows the destination IP address of the hosts that can be reached.
● Tunnel Interface Address
Shows the IP address of the virtual tunnel interface.
● Connected Remote Subnet(s)
Shows the subnets of the SINEMA RC Server that are reachable for the device. Which
subnets are reachable for the device depends on the communications relations on the

4.4.13 OpenVPN client

The WBM page shows the status of the activated OpenVPN connections.

● Name
Shows the name of the OpenVPN connection.
● Remote Server
Shows the IP address or the hostname of the OpenVPN server.
● Tunnel Interface IP
Shows the IP address of the virtual tunnel interface.
● Exported Subnets
Shows the IP address of the local subnets.
● Routed Subnets
Shows the subnets of the OpenVPN server.
● Status
Shows the status of the OpenVPN connection.

4.4.14 Redundancy
4.4.14.1 Overview
MSTP-CIST configuration
The page consists of the following parts.
● The left-hand side of the page shows the configuration of the device.
● The right-hand part shows the configuration of the root bridge that can be derived from
the spanning tree frames received by a device.

The page contains the following boxes:
● Bridge Priority / Root Priority
The Bridge Priority decides which device becomes the Root Bridge. The Bridge with the
highest priority becomes the Root Bridge. The lower the value, the higher the priority. If
several devices in a network have the same priority, the device whose MAC address has
the lowest numeric value will become the root bridge. Both parameters, bridge priority
and MAC address together form the Bridge identifier. Since the root bridge manages all
path changes, it should be located as centrally as possible due to the delay of the frames.
The value for the bridge priority is a whole multiple of 4096 with a range of values from 0
through 61440.
● Bridge Address / Root Address
The bridge address shows the MAC address of the device and the root address shows
the MAC address of the root bridge.

● Root Port
Shows the port via which the switch communicates with the root bridge.
● Root Cost
The path costs from this device to the root bridge.
● Topology Changes / Last Topology Change
The entry for the device shows the number of reconfiguration actions due to the spanning
tree mechanism since the last startup. For the root bridge, the time since the last
reconfiguration is displayed as follows:
– Seconds: Supplement "sec" after the number
– Minutes: Supplement "min" after the number
– Hours: Supplement "hr" after the number
● Bridge Hello Time / Root Hello Time
Each bridge sends configuration frames (BPDUs) regularly. The interval between two
such frames is the Hello time. The default for this parameter is 2 seconds.
● Bridge Forward Delay / Root Forward Delay
New configuration information is not used immediately by a bridge but only after the
forwarding delay specified in the parameter. This ensures that operation is only started
with the new topology after all the bridges have the required information. The default for
this parameter is 15 seconds.
● Bridge Max Age / Root Max Age
When the max age timer elapses the received BPDU is discarded to be accepted as valid
by the switch. The default value is 20s.
● Bridge Max Hop Count
This parameter specifies how many MSTP nodes a BPDU may pass through. If an MSTP
BPDU is received and has a hop count that exceeds the value configured here, it is
discarded. The default for this parameter is 20.
● Root Hop Count
The number of nodes that need to be run through on the way to the root bridge.

4.4.14.2 Spanning Tree
Introduction
The page shows the current information about the spanning tree and the settings of the root
bridge.

The following fields are displayed:
● Spanning Tree Mode
Shows the set mode. You specify the mode in "Layer 2 > Configuration" and in "Layer 2 >
Spanning Tree > General".
The following values are possible:
– '-'
– RSTP
Which device becomes the root bridge is decided by the bridge priority. The bridge with
the highest priority (in other words, with the lowest value for this parameter) becomes the
root bridge. If several devices in a network have the same priority, the device whose MAC
address has the lowest numeric value will become the root bridge. Both parameters,
bridge priority and MAC address together form the bridge identifier. Since the root bridge
manages all path changes, it should be located as centrally as possible due to the delay

of the frames. The value for the bridge priority is a whole multiple of 4096 with a range of
values from 0 to 32768.
the MAC address of the root switch.
● Root Cost
Shows the path costs from the device to the root bridge.
● Bridge Status
Shows the status of the bridge, e.g. whether or not the device is the root bridge.
● Port
Shows the interfaces via which the device communicates.
● Role
Shows the status of the port. The following values are possible:
– Disabled
The port was removed manually from the spanning tree and will no longer be taken
into account by the spanning tree.
– Designated
The ports leading away from the root bridge.
– Alternate
The port with an alternative route to a network segment
– Backup
If a switch has several ports to the same network segment, the "poorer" Port becomes
the backup port.
– Root
The port that provides the best route to the root bridge.
– Master
This port points to a root bridge located outside the MST region.
● Status
Shows the current status of the interface. The values are only displayed. The parameter
depends on the configured protocol.
– Discarding
The port receives BPDU frames. Other incoming or outgoing frames are discarded.
– Listening
The port receives and sends BPDU frames. The port is involved in the spanning tree
algorithm. Other outgoing and incoming frames are discarded.
– Learning
The port actively learns the topology; in other words, the node addresses. Other
outgoing and incoming frames are discarded.
– Forwarding
Following the reconfiguration time, the port is active in the network. The port receives
and sends data frames.

● Oper. Version
Shows the compatibility mode of Spanning Tree used by the port.
● Priority
If the path calculated by the spanning tree is possible over several ports of a device, the
port with the highest priority (in other words the lowest value for this parameter) is
selected. A value between 0 and 240 can be entered for the priority in steps of 16. If you
enter a value that cannot be divided by 16, the value is automatically adapted. The
default is 128.
● Path Cost
This parameter is used to calculate the path that will be selected. The path with the
lowest value is selected. If several ports of a device have the same value, the port with
the lowest port number is selected.
If the value in the "Cost Calc" field is "0", the automatically calculated value is displayed.
Otherwise, the value of the "Cost Calc" field is displayed.
The calculation of the path costs is largely based on the transmission speed. The higher
the achievable transmission speed is, the lower the value of the path costs.
Typical values for path costs with rapid spanning tree:
– 10,000 Mbps = 2,000
– 1000 Mbps = 20,000
– 100 Mbps = 200,000
– 10 Mbps = 2,000,000
● Edge Type
Shows the type of the connection. The following values are possible:
– Edge Port
There is an end device at this port.
– No Edge Port
There is a spanning tree or rapid spanning tree device at this port.
● P.t.P. Type
Shows the type of point-to-point link. The following values are possible:
– P.t.P.
With half duplex, a point-to-point link is assumed.
–  Shared Media
With a full duplex connection, a point-to-point link is not assumed.

4.4.15 VRRPv3 Statistics
Introduction
This page shows the statistics of the VRRPv3 protocol and all configured virtual routers.
Description
The following fields are displayed:
● VRID Errors
Shows how many VRRPv3 packets containing an unsupported VRID were received.
● Version Errors
Shows how many VRRPv3 packets containing an invalid version number were received.
● Checksum Errors
Shows how many VRRPv3 packets containing an invalid checksum were received.
● Interfaces
Interface to which the settings relate.
● VRID
Shows the ID of the virtual router. Valid values are 1 ... 255.
● Address Type
Shows the version of the IP protocol.
● Become Master
Shows how often this virtual router changed to the "Master" status.
● Advertisements Received
Shows how many VRRPv3 packets were received.

● Advertisement Interval Errors

Shows how many bad VRRPv3 packets were received whose interval does not match the
value set locally.
● IP TTL Errors
Shows how many bad VRRPv3 packets were received whose TTL (Time to live) value in
the IP header is incorrect.
● Prio 0 received
Shows how many VRRPv3 packets with priority 0 were received. VRRPv3 packets with
priority 0 are sent when a master router is shut down. These packets allow a fast
handover to the relevant backup router.
● Prio 0 sent
Shows how many VRRPv3 packets with priority 0 were sent. Packets with priority 0 are
sent when a master router is shut down. These packets allow a fast handover to the
relevant backup router.
● Invalid Type
Shows how many bad VRRPv3 packets were received whose value in the "Type" field of
the IP header is invalid.
● Address List Errors
Shows how many bad VRRPv3 packets were received whose address list does not
match the locally configured list.
● Packet Length Errors
Shows how many bad VRRPv3 packets were received whose length is not correct.

4.4.16 Security
4.4.16.1 Overview
Note
The values displayed depend on the rights of the logged-in user.
This page shows the security settings and the local and external user accounts.
Description
Services
The "Services" list shows the security settings.
● Telnet Server
You configure the setting in "System > Configuration".
– Enabled: Unencrypted access to the CLI.
– Disabled: No unencrypted access to the CLI.

● SSH Server
– Enabled: Encrypted access to the CLI.
– Disabled: No encrypted access to the CLI.
● Web Server
– HTTP/HTTPS: Access to the WBM is possible with HTTP and HTTPS.
– HTTPS: Access to the WBM is now only possible with HTTPS.
● SNMP
You can configure setting in "System > SNMP > General".
– "-" (SNMP disabled)
Access to device parameters via SNMP is not possible.
– SNMPv1/v2c/v3
Access to device parameters is possible with SNMP versions 1, 2c or 3.
– SNMPv3
Access to device parameters is possible only with SNMP version 3.
● Management ACL
You configure the setting in "Security > Management ACL".
– Enabled: Restricted access only: Access is restricted using an Access Control List
(ACL).
– Disabled: No access restriction: Management ACL is not enabled.
– Enabled: No access restriction: Management ACL is enabled, but access is not
restricted using an Access Control List (ACL).
● Login Authentication
You configure the setting in "Security > AAA > General".
– Local
The authentication must be made locally on the device.
– RADIUS
The authentication must be handled via a RADIUS server.
– Local and RADIUS
The authentication is possible both with the users that exist on the device (user name
and password) and via a RADIUS server.
The user is first searched for in the local database. If the user does not exist there, a
RADIUS query is sent.

– RADIUS and fallback local

A local authentication is performed only when the RADIUS server cannot be reached
in the network.
● Password Policy
Shows which password policy is currently being used.
Local and external user accounts
You configure local user accounts and roles in "Security > Users".
When you create a local user account an external user account is generated automatically.
Local user accounts involve users each with a password for logging in on the device.
In the table "External User Accounts" a user is linked to a role. In this example the user
"Observer" is linked to the "user" role. The user is defined on a RADIUS server. The roll is
defined locally on the device. When a RADIUS server authenticates a user, the
corresponding group however is unknown or does not exist, the device checks whether or
not there is an entry for the user in the table "External User Accounts". If an entry exists, the
user is logged in with the rights of the associated role. If the corresponding group is known
on the device, both tables are evaluated. The user is assigned the role with the higher rights.
Note
The table "External User Accounts" is only evaluated if you have set "SiemensVSA" in the
RADIUS Authorization Mode.
With CLI you can access external user accounts.

The "Local User Accounts" and "External User Accounts" tables have the following columns:
● User Account
Shows the name of the local user.
● Role
Shows the role of the user. You can obtain more information on the function rights of the
role in "Information > Security > Roles".

4.4.16.2 Supported Function Rights
Note
The values displayed depend on the role of the logged-on user.
The page shows the function rights available locally on the device.

● Function Right
Shows the number of the function right. Different rights relating to the device parameters
are assigned to the numbers.
● Description
Shows the description of the function right.

4.4.16.3 Roles
Note
The page shows the roles valid locally on the device.
Description
● Role
Shows the name of the role.
● Function Right
Shows the function right of the role:
– 1
Users with this role can read device parameters but cannot change them.
– 15
Users with this role can both read and change device parameters.
– 0
This is a role that the device assigns internally when a user could not be
authenticated. The user is denied access to the device.
● Description
Shows a description of the role.

4.4.16.4 Groups
Note
This page shows which group is linked to which role. The group is defined on a RADIUS
server. The roll is defined locally on the device.

● Group
Shows the name of the group. The name matches the group on the RADIUS server.
● Role
Shows the name of the role. Users who are authenticated with the linked group on the
RADIUS server receive the rights of this role locally on the device.
● Description
Shows a a description for the link.

4.5 "System" menu
4.5 "System" menu
4.5.1 Configuration
System configuration
The WBM page contains the configuration overview of the access options of the device.
Specify the services that access the device. With some services, there are further
configuration pages on which more detailed settings can be made.
Description
● Telnet Server
Enable or disable the Telnet server service for unencrypted access to the CLI.
● SSH Server
Enable or disable the SSH server service for encrypted access to the CLI.

4.5 "System" menu
● HTTP Services
Specify how the WBM is accessed:
– HTTPS
Access to the WBM is only possible with HTTPS.
– HTTP/HTTPS
Access to the WBM is only possible with HTTP and HTTPS.
– Redirect HTTP to HTTPS
Access via HTTP is automatically diverted to HTTPS.
● Default Login Page
Specify the login page with which the WBM starts by default.
– Firewall
Logging into the WBM page for user-specific firewall.
– Configuration
Logging into the WBM.
● SMTP Client
Enable or disable the SMTP client. You can configure other settings in "System > SMTP
Client".
● Syslog Client
Enable or disable the Syslog client. You can configure other settings in "System > Syslog
Client".
● DCP Server
Specify whether or not the device can be accessed with DCP (Discovery and
Configuration Protocol):
– "-" (disabled)
DCP is disabled. Device parameters can neither be read nor modified.
– Read/Write
With DCP, device parameters can be both read and modified.
– Read Only
With DCP, device parameters can be read but cannot be modified.

4.5 "System" menu
● Time
Select the setting from the drop-down list. The following settings are possible:
– Manual
The system time is set manually. You can configure other settings in "System >
System Time > Manual Setting".
– SIMATIC Time
The system time is set using a SIMATIC time transmitter. You can configure other
settings in "System > System Time > SIMATIC Time Client".
– SNTP Client
The system time is set via an SNTP server. You can configure other settings in
"System > System Time > SNTP Client".
– NTP Client
The system time is set via an NTP server. You can configure other settings in "System
> System Time > NTP Client".
● SNMP
Select the protocol from the drop-down list. The following settings are possible:
– "-" (SNMP disabled)
Access to device parameters via SNMP is not possible.
– SNMPv1/v2c/v3
Access to device parameters is possible with SNMP versions 1, 2c or 3. You can
configure other settings in "System > SNMP > General".
– SNMPv3
Access to device parameters is possible only with SNMP version 3. You can configure
other settings in "System > SNMP > General".
● SNMPv1/v2 Read Only
Enable or disable write access to SNMP variables with SNMPv1/v2c.
● SNMPv1 Traps
Enable or disable the sending of SNMPv1 traps (alarm frames). You can configure other
settings in "System > SNMP > Traps".
● SINEMA Configuration Interface
If the SINEMA configuration interface is enabled, you can download configurations to the
device using STEP 7 Basic / Professional.
● DHCP Client
Enable or disable the DHCP client. You can configure other settings in "System > DHCP".
● DUID Type
Specify which DUID type is used. The DUID types are defined in RFC 3315.
– DUID-LLT
DUID is based on the link layer address of the interface and a time stamp
– DUID-EN
DUID is assigned by the vendor (EN = enterprise number)
– DUID-LL
DUID is based on the link layer address of the interface

4.5 "System" menu
● Link-layer Address Plus Time (LLT)

The value is based on the link layer address of the interface and a time stamp. The value
is regenerated each time the factory settings are restored.
● Vendor Enterprise Number (EN)
The value is based on the enterprise number specific to the vendor. The value is
regenerated each time the factory settings are restored.
● Link-layer address (LL)
The link-layer address is based on the MAC address. The value is regenerated each time
the factory settings are restored.
● Configuration Mode
Select the mode from the drop-down list. The following modes are possible:
– Automatic Save
Automatic backup mode. Approximately 1 minute after the last parameter change or
before you restart the device, the configuration is automatically saved.
In addition to this, the following message appears in the display area "Changes will be
saved automatically in x seconds. Click 'Write Startup Config' to save the changes
immediately."
Note
Interrupting the save
Saving starts only after the timer in the message has elapsed. How long saving takes
depends on the device.
During the save, the message "Saving configuration data in progress. Please do not
switch off the device" is displayed.
• Do not switch off the device immediately after the timer has elapsed.
– Trial
Trial mode. In Trial mode, although changes are adopted, they are not saved in the
configuration file (startup configuration).
To save changes in the configuration file, use the "Write startup config" button. The
display area also shows the message "Trial Mode Active – Press the "Write Startup
Config" button to make your settings persistent" as soon as there are unsaved
modifications. This message can be seen on every WBM page until the changes
made have either been saved or the device has been restarted.
Procedure
1. To use the required function, select the corresponding check box.
2. Select the options you require from the drop-down lists.
3. Click the "Set Values" button.

4.5 "System" menu
4.5.2 General
4.5.2.1 Device
This WBM page contains the general device information.
Description
The WBM page contains the following boxes:
● Current System Time
Shows the current system time. The system time is either set by the user or by a time-of-
day frame: either SINEC H1 time-of-day frame, NTP or SNTP.
● System Up Time
Shows the operating time of the device since the last restart.
● Device Type
Shows the type designation of the device.
● System Name
You can enter the name of the device. The entered name is displayed in the selection
area. A maximum of 255 characters are possible.
The system name is also displayed in the CLI input prompt. The number of characters in
the CLI input prompt is limited. The system name is truncated after 16 characters.
● System Contact
You can enter the name of a contact person responsible for managing the device. A
maximum of 255 characters are possible.

4.5 "System" menu
● System Location
You can enter the location where the device is installed. The entered installation location
is displayed in the selection area. A maximum of 255 characters are possible.
Note
Permitted characters
The following printable ASCII characters (0x20 to 0x7e) are permitted in the input fields
"System Name", "System Contact" and "Device Location":
• 0123456789
• A...Z a...z
• !"#$%&'()*+,-./:;<=>?@ [\]_{|}~^`
● Cyclic WBM status update

When this is disabled, automatic update of the WBM is switched off. This is suitable for
slow 2G connections or contracts with very limited data volume.
The following must be taken into account here:
– No status display update
– No automatic logoff after user inactivity
– No message in trial mode
– No message on automatic saving
– No progress display when saving or uploading files
– No automatic forwarding to the changed IP address
Procedure
1. Enter the contact person responsible for the device in the "System Contact" input box.
2. Enter the identifier for the location at which the device is installed in the "System
Location" input box.
3. Enter the name of the device in the "System Name" input box.
Note: Steps 1 to 3 can also be performed with the SNMP Management Tool.

4.5 "System" menu
4.5.2.2 Coordinates
Information on geographic coordinates

In the "Geographic Coordinates" window, you can enter information on the geographic
coordinates. The parameters of the geographic coordinates (latitude, longitude and the
height above the ellipsoid according to WGS84) are entered directly in the input boxes of the
"Geographic Coordinates" window.
Getting the coordinates
Use suitable maps for obtaining the geographic coordinates of the device.
The geographic coordinates can also be obtained using a GPS receiver. The geographic
coordinates of these devices are normally displayed directly and only need to be entered in
the input boxes of this page.
Description
The page contains the following input boxes with a maximum length of 32 characters.
● "Latitude" input box
Geographical latitude: Here, enter the value for the northerly or southerly latitude of the
location of the device.
For example, the value +49° 1´31.67" means that the device is located at 49 degrees, 1
arc minute and 31.67 arc seconds northerly latitude.
A southerly latitude is shown by a preceding minus character.
You can also append the letters N (northerly latitude) or S (southerly latitude) to the
numeric information (49° 1´31.67" N).
● "Longitude" input box
Geographic longitude: Here, you enter the value of the eastern or western longitude of
the location of the device.
The value +8° 20´58.73" means that the device is located at 8 degrees, 20 minutes and
58.73 seconds east.
A western longitude is indicated by a preceding minus sign.
You can also add the letter E (easterly longitude) or W (westerly longitude) to the numeric
information (8° 20´58.73" E).

4.5 "System" menu
● Input box: "Height"

Height Here, you enter the value of the geographic height above sea level in meters.
For example, 158 m means that the device is located at a height of 158 m above sea
level.
Heights below sea level (for example the Dead Sea) are indicated by a preceding minus
sign.
Procedure
1. Enter the calculated latitude in the "Latitude" input box.
2. Enter the calculated longitude in the "Longitude" input box.
3. Enter the height above sea level in the "Height" input box.

4.5 "System" menu
4.5.3 Restart
Resetting to the defaults

In this menu, there is a button with which you can restart the device and various options for
resetting to the device defaults.
Note
Note the following points about restarting a device:
• You can only restart the device with administrator privileges.
• A device should only be restarted with the buttons of this menu and not by a power cycle
on the device.
• Any modifications you have made only become active on the device after clicking the "Set
Values" button on the relevant WBM page. If the device is in "Trial Mode", configuration
modifications must be saved manually before a restart. In "Autosave mode", the last
changes are saved automatically before a restart.
Description
To restart the device, the buttons on this page provide you with the following options:
● Restart
Click this button to restart the system. You must confirm the restart in a dialog box.
During a restart, the device is reinitialized, the internal firmware is reloaded, and the
device runs a self-test. The settings of the start configuration are retained, e.g. the IP
address of the device. The learned entries in the address table are deleted. You can
leave the browser window open while the device restarts. After the restart you will need to
log in again.

4.5 "System" menu
● Restore Memory Defaults and Restart

Click this button to restore the factory configuration settings with the exception of the
following parameters and to restart:
– IP addresses
– Subnet mask
– IP address of the default gateway
– DHCP client ID
– DHCP
– System name
– System location
– System contact
– User names and passwords
● Restore Factory Defaults and Restart
Click this button to restore the factory defaults for the configuration. The protected
defaults are also reset.
An automatic restart is triggered.
Note
By resetting to the factory configuration settings, the device is reachable again with the IP
address 192.168.1.1 set in the factory, see the section "Requirements for operation".

4.5 "System" menu
4.5.4 Load&Save
4.5.4.1 File list
Overview of the file types

Config This file contains the start configuration.
Among other things, this device contains the definitions of the users, roles, groups
and function rights. The passwords are stored the file "Users".
ConfigPack Detailed configuration information. for example, startup configuration, users, certifi-
cates, WBM favorite pages
ZIP file consisting of the Config, Users and LSYS fle.
Debug This file contains information for Siemens Support.
It is encrypted and can be sent by e-mail to Siemens Support without any security
risk.
Firmware The firmware is signed and encrypted. This ensures that only firmware created by
Siemens can be downloaded to the device.
HTTPSCert Default HTTPS certificates including key
The preset and automatically created HTTPS certificates are self-signed.
We strongly recommend that you create your own HTTPS certificates and make
them available. We recommend that you use HTTPS certificates signed either by a
reliable external or by an internal certification authority. The HTTPS certificate checks
the identity of the device and controls the encrypted data exchange.
There are files to which access is password protected. To load the file into the de-
vice, enter the password specified for the file on the WBM page "Passwords
(Page 145)".
LogFile File with entries from the event log table
MIB Private MSPS MIB file
RunningCLI Text file with CLI commands
This file contains an overview of the current configuration in the form of CLI com-
mands. Passwords are masked in this file as follows: [PASSWORD]
You can download the text file. The file is not intended to be uploaded again un-
changed.
Running- You save the current device configuration in this file type for transfer to STEP 7
SINEMACon- Basic/Professional. The file can be imported in STEP 7 Basic/Professional and in-
fig stalled on a device with the same article number and firmware version.
Before you can save a file, you must assign a password for the "RunningSINEMA-
Config" in the WBM under "System > Load&Save > Passwords". You also need this
password to import the file into STEP 7 Basic/Professional; see also "SINEMACon-
fig".
Script Text file with CLI commands
You can upload a script file in a device. The CLI commands it contains are executed
appropriately.
CLI commands for saving and loading files cannot be executed with the CLI script file
(Script).

4.5 "System" menu

SINEMACon- You load configuration data that was exported via STEP 7 Basic/Professional for
fig transfer to the WBM with this file type.
To load a file, you must assign a password for the "SINEMAConfig" under "System >
Load&Save > Passwords". You also need this password to export the file from
STEP 7 Basic/Professional; see also "RunningSINEMAConfig".
StartupInfo Startup log file
This file contains the messages that were entered in the log during the last startup.
Users This file contains the assignment of the user names to the corresponding passwords.
WBMFav WBM favorites
This file contains the favorites that you created in the WBM. You can download this
file and upload it in other devices.
X509Cert Various nodes are certified with certificates.
The following file types can be loaded into the device:
• .crt, pem, zip: Maximum file name length 255 characters
• .p12: Maximum file name length 248 characters
There are files to which access is password protected. To load the file into the de-
vice, enter the password specified for the file on the WBM page "Passwords
(Page 145)".
The loaded files are listed in "Security > Certificates > Overview (Page 277)".
For more information on certificates, refer to section "Certificates (Page 53)".

4.5 "System" menu
4.5.4.2 HTTP
Loading and saving data via HTTP

The WBM allows you to store device data in an external file on your client PC or to load such
data from an external file from the PC to the devices. This means, for example, that you can
also load new firmware from a file located on your Admin PC. On this page, the certificates
required to establish a secure VPN connection can also be loaded.
Firmware
Configuration files
Note
Configuration files and Trial mode/Automatic Save
In "Automatic Save" mode, the data is saved automatically before the configuration files
(ConfigPack and Config) are transferred.
In "Trial" mode, although the changes are adopted, they are not saved in the configuration
files (ConfigPack and Config). Use the "Write Startup Config" button on the "System >
Configuration" WBM page to save changes in the configuration files.
CLI script file

You can download existing CLI configurations (RunningCLI) and upload your own CLI scripts
(Script).
Note
The downloadable CLI script is not intended to be uploaded again unchanged.
(Script).
Exchange of configuration data with STEP 7 Basic/Professional using a file

You use the two file types "RunningSINEMAConfig" and "SINEMAConfig" to exchange
configuration data between a device (WBM) and STEP 7 Basic/Professional via a file.
Requirements:
● Same article number
● Same firmware version
● Password
You assign the password in the WBM under "System > Load&Save > Passwords".

4.5 "System" menu
You can use the file types as follows:

● For offline diagnostics
You can save the faulty configuration of a device as "RunningSINEMAConfig" via the
WBM and import it in STEP 7 Basic/Professional. No connection to a real device is
required for the diagnostics in STEP 7 Basic/Professional. You can export a corrected
configuration and load it as "SINEMAConfig" again using the WBM.
● For configuration
No connection to a real device is required to configure a device in STEP 7
Basic/Professional. You can export the configuration and load it as "SINEMAConfig" to
the real device using the WBM.
X509 certificates
● .crt, pem, zip: Maximum file name length 255 characters
● .p12: Maximum file name length 248 characters
Description
● Type
Shows the file type.
● Description
Shows the short description of the file type.

4.5 "System" menu
● Load
With this button, you can upload files to the device. The button can be enabled, if this
function is supported by the file type.
● Save
With this button, you can download files from the device. The button can only be enabled
if this function is supported by the file type and the file exists on the device.
● Delete
With this button, you can delete files from the device. The button can only be enabled if
this function is supported by the file type and the file exists on the device.
Note
Following a firmware update, delete the cache of your Internet browser.
Procedure
Uploading data using HTTP
1. Start the upload function by clicking one of the "Load" buttons.
Note
Files whose access is password protected
To be able to load these files on the device successfully, you need to enter the password
specified for the file in "System" > "Load&Save" > "Passwords".
A dialog for uploading a file opens.

2. Select the required file and confirm the upload.
The file is uploaded.
3. If a restart is necessary, a message to this effect will be output. Click the "OK" button and
run the restart. If you click the "Abort" button, there is no device restart. The changes only
take effect after a restart.
Note
Cell firmware update M87x
After a cell firmware update, the device automatically restarts
Downloading data using HTTP

1. Start the download by clicking the one of the "Save" buttons.
2. Select a storage location and a name for the file.
3. Save the file.
The file is downloaded and saved.

4.5 "System" menu
Deleting files using HTTP

1. Start the delete function by clicking the one of the "Delete" buttons.
The file is deleted.
Reusing configuration data
If several devices are to receive the same configuration and the IP addresses are assigned
using DHCP, the effort for configuration can be reduced by saving and reading in the
configuration data.
Follow the steps below to reuse configuration data:
1. Save the configuration data of a configured device on your PC.
2. Load these configuration files on all other devices you want to configure in this way.
3. If individual settings are necessary for specific devices, these must be made online on the
relevant device.
Note
Configuration data has a checksum. If you edit the files, you can no longer upload them to
the IE switch.
4.5.4.3 TFTP
Loading and saving data via a TFTP server

On this page, you can configure the TFTP server and the file names. The WBM also allows
you to store device data in an external file on your client PC or to load such data from an
external file from the PC to the devices. This means, for example, that you can also load new
firmware from a file located on your Admin PC.
On this page, the certificates required to establish a secure VPN connection can also be
loaded.
Firmware
Configuration files
Note

4.5 "System" menu
CLI script file

(Script).
Note
(Script).

Requirements:
● Password
X509 certificates

4.5 "System" menu
Description
● TFTP Server Address
Enter the IP address or the FQDN (Fully Qualified Domain Name) of the TFTP server with
which you exchange data.
● TFTP Server Port
Enter the port of the TFTP server via which data exchange will be handled. If necessary,
you can change the default value 69 to your own requirements.
● Type
● Description
● Filename
A file name is preset here for every file type.
Note
Changing the file name
You can change the file name preset in this column. After loading on the device, the
changed file name can also be used with the Command Line Interface.
● Actions
Select the action from the drop-down list. The selection depends on the selected file type,
for example, the log file can only be saved.
The following actions are possible:

4.5 "System" menu
– Save file
With this selection, you save a file on the TFTP server.
– Load file
With this selection, you load a file from the TFTP server.
Procedure
Loading or saving data using TFTP
1. Enter the address of the TFTP server in "TFTP server address".
2. Enter the port of the TFTP server to be used in "TFTP Server Port".
3. If applicable, enter the name of a file in which you want to save the data or take the data
from in "Filename".
Note
4. Select the action you want to execute from the "Actions" drop-down list.
5. Click "Set Values" to start the selected action.
6. If a restart is necessary, a message to this effect will be output. Click the "OK" button to
Note

If several identical devices are to receive the same configuration and the IP addresses are
assigned using DHCP, the effort for reconfiguration can be reduced by saving and reading in
the configuration data.
relevant device.
Note
Configuration data has a checksum. If you change the data, you can no longer upload it to
the device.

4.5 "System" menu
4.5.4.4 SFTP
Loading and saving data via an SFTP server

SFTP (SSH File Transfer Protocol) transfers the files encrypted. On this page, you configure
the access data for the SFTP server.
You can also store device data in an external file on your client PC or load such data from an
external file from the PC to the devices. This means, for example, that you can also load new
firmware from a file located on your Admin PC.
On this page, the certificates required to establish a secure VPN connection can also be
loaded.
Firmware
Configuration files
Note
CLI script file

(Script).
Note
(Script).

Requirements:
● Password

4.5 "System" menu

X509 certificates
Description
● SFTP Server Address
Enter the IP address or the FQDN of the SFTP server with which you exchange data.
● SFTP Server Port
Enter the port of the SFTP server via which data exchange will be handled. If necessary,
you can change the default value 22 to your own requirements.

4.5 "System" menu
● SFTP User
Enter the user for access to the SFTP server. This assumes that a user with the
corresponding rights has been created on the SFTP server.
● SFTP Password
Enter the password for the user
● SFTP Password Confirmation
● Type
● Description
● Filename
A file name is preset here for every file type.
Note
Changing the file name
You can change the file name preset in this column. After loading on the device, the
changed file name can also be used with the Command Line Interface.
● Actions
Select the action from the drop-down list. The selection depends on the selected file type,
for example you can only save the log file.
The following actions are possible:
– Save file
With this selection, you save a file on the SFTP server.
– Load file
With this selection, you load a file from the SFTP server.
Procedure
Loading or saving data using SFTP
1. Enter the address of the SFTP server in "SFTP Server Address".
2. Enter the port of the SFTP server to be used in "SFTP Server Port".
3. Enter the user data (user name and password) required for access to the SFTP server.
4. If applicable, enter the name of a file in which you want to save the data or take the data
from in "Filename".
Note

4.5 "System" menu
5. Select the action you want to execute from the "Actions" drop-down list.
6. Click "Set Values" to start the selected action.
7. If a restart is necessary, a message to this effect will be output. Click the "OK" button to
Note

If several identical devices are to receive the same configuration and the IP addresses are
assigned using DHCP, the effort for reconfiguration can be reduced by saving and reading in
the configuration data.
relevant device.
Note
Configuration data has a checksum. If you change the data, you can no longer upload it to
the IE switch.

4.5 "System" menu
4.5.4.5 Passwords
There are files to which access is password protected. To successfully load the file into the
device, enter the password specified for the file on the WBM page.
Description
● Type
● Description
● Setting
When selected, the password is used. Can only be enabled if the password is configured.
● Password
Enter the password for the file.
Confirm the new password.
● Status
Shows whether the current settings for the file match the device.
– Valid
The settings are valid.
– Invalid
the settings are invalid.
– '-'
Status cannot be evaluated.

4.5 "System" menu
Procedure
1. Enter the password in "Password".
2. To confirm the password, enter the password again in "Password Confirmation".
3. Select the "Enabled" option.
4.5.5 Events
4.5.5.1 Configuration
Selecting system events

On this WBM page, you specify which system events are logged and how.
The following messages are always entered in the event log table and cannot be deselected:
● Changing the admin password
● Starting the device
● Operational status of the device, e.g. whether or not a PLUG is inserted
● Status of errors not yet dealt with
To send these messages to a Syslog server as well, select the "Syslog" check box for the
event "System General Logs".

4.5 "System" menu
Description
With Table 1, you can enable or disable all check boxes of a column of Table 2 at once.
● All Events
Shows that the settings are valid for all events of table 2.
● E-mail / Trap / Log Table / Syslog / Fault / Digital Out / VPN Tunnel
Enable or disable the required type of notification for all events. If "No Change" is
selected, the entries of the corresponding column in table 2 remain unchanged.
● Copy To Table
If you click the button, the setting is adopted for all events of table 2.
● Event
The "Event" column contains the following:
– Cold/Warm Start
The device was turned on or restarted by the user. In the error memory of the device a
new entry is generated with the type of restart performed.
– Link Change
This event occurs only when the port status is monitored and has changed, see
"System > Fault Monitoring > Link Change".
– Authentication Failure
This event occurs when access is attempted with an incorrect password.
– Fault State Change
The fault status has changed. The fault state can relate to the activated port
monitoring, the response of the signaling contact or the power supply monitoring.
– Security Logs
An entry is made in the security log if the IPsec method was used for VPN.
– Firewall Logs
Each time individual firewall rules are applied, this is recorded in the firewall log. To do
this, the LOG function must be enabled for the various firewall functions.
– DDNS Client Logs
The event occurs when the DDNS client synchronizes the assigned IP address with
the hostname registered at the DDNS provider.
– System Connection Status
The connection status has changed.

4.5 "System" menu
– System General Logs

Connection establishment, change to the configuration.
– Digital In
The event occurs when the status of the digital input has changed.
– VPN Tunnel
The event occurs when the status of VPN (IPsec, OpenVPN, SINEMA RC) has
changed.
– Secure NTP
This event occurs when the device receives the system time from a secure NTP
server.
– Configuration Change
This event occurs when the configuration of the device has changed.
– Service Information
For certain events, entries are made in the log table even without configuration. For
these events, you can configure additional subsequent actions here (e-mail, trap,
syslog).
● E-mail
The device sends an e-mail. This is only possible if the SMTP server is set up and the
"SMTP client" function is enabled.
● Trap
The device sends an SNMP trap. This is only possible if "SNMPv1 Traps" is enabled in
"System > Configuration".
● Log Table
The device writes an entry in the event log table, see "Information > Log Table"
● Syslog
The device writes an entry to the system log server. This is only possible if the system log
server is set up and the "Syslog client" function is enabled.
● Faults
The device triggers an error. The fault LED lights up
● Digital Out
Controls the digital output or signals the status change with the "DO" LED.
● VPN Tunnel
Controls the forwarding of an event to a VPN connection (IPsec, OpenVPN, SINEMA
RC). As long as the event is present, the VPN connection is switched to active.
● Firewall
Controls application of the user-defined rule set. The prerequisite is that a rule set is
assigned to the digital input under "Security > Firewall > User-specific".

4.5 "System" menu
Procedure
Establishing/terminating a VPN tunnel via the digital input
1. For the "Digital In" event, activate the "VPN Tunnel" entry.
2. Configure the VPN connection
– IPsec:
In "Operation" set "wait on DI" or "start on DI". You will find more information on this in
"IPsec > Connections" and in "VPN connection establishment".
– OpenVPN:
In "Operation" set "start on DI". You will find more information on this in "OpenVPN >
Connections" and in "VPN connection establishment".
– SINEMA RC:
In "Type of connection" set "Auto" or "Digital Input". With "Type of connection" "Auto",
on the SINEMA RC Server you need to set the type of connection "Digital Input" under
"Remote connections > Devices". You will find further information on this topic in the
operating instructions "SINEMA RC Server".
3. Click on "Set Values".
4.5.5.2 Severity Filters

On this page, you configure the severity for the sending of system event notifications.

4.5 "System" menu
Description
● Client Type
Select the client type for which you want to make settings:
– E-mail
Sending system event messages by e-mail.
– Log Table
Entry of system events in the log table.
– Syslog
Entry of system events in the Syslog file.
● Severity
Select the required severity. The following settings are possible:
– Info
The messages of all severities are sent or logged.
– Warning
The messages of this severity and the "critical" severity are sent or logged.
– Critical
Only the messages of this severity are sent or logged.

4.5 "System" menu
4.5.6 SMTP client
4.5.6.1 General
Network monitoring with e-mails

If events occur, the device can automatically send an e-mail, e.g. to the service technician.
The e-mail contains the identification of the sending device, a description of the cause in
plain text, and a time stamp. This allows centralized network monitoring to be set up for
networks with few nodes based on an e-mail system.
The setting "E-mail" must be enabled in the events in order for e-mails to be sent. The
messages that can be sent depend on the set severity. You configure the associated e-mail
addresses to which the device sends an e-mail during testing or if a fault occurs in the
"Recipient" tab.
Requirements for sending e-mails

● "E-mail" is activated for the relevant event in "System > Events > Configuration".
● The desired severity is configured under "System > Events > Severity level".
● At least one entry exists under "System > SMTP Client > Recipient" and the setting
"Send" is activated.
Description
● SMTP Client
Enable or disable the SMTP client.
● SMTP Server Address
Enter the IP address or the FQDN (Fully Qualified Domain Name) of the SMTP server.

4.5 "System" menu

● Select
Select the check box in a row to be deleted.
● Status
Specify whether this SMTP server will be used.
● SMTP Server Address
Shows the IP address or the FQDN (Fully Qualified Domain Name) of the SMTP server.
● Sender Email Address
Enter the e-mail address of the sender that is specified in the e-mail.
● User Name
If necessary, enter the user name used for authentication on the SMTP server.
● Password
If necessary, enter the password used for authentication on the SMTP server.
● Port
Enter the port via which your SMTP server can be reached.
Factory settings: 25
● Security
Specify whether transfer of the e-mail from the device to the SMTP server is encrypted.
This is only possible when the SMTP server supports the selected setting.
Note
2-factor authentication (2FA)
2-factor authentication is not supported.
– SSL/TLS
– StartTLS
– None: The e-mail is transferred unencrypted.
● Test
Sends a test e-mail to the configured recipients.
● Test Result
Shows whether the e-mail was sent successfully or not. If sending was not successful,
the message contains possible causes.

4.5 "System" menu
Procedure
Configuring the SMTP server
1. Enable the "SMTP Client" function.
2. Enter the IP address or the FQDN of the SMTP server for "SMTP Server Address".
3. Click the "Create" button. A new entry is generated in the table.
4. Enter the name of the sender that will be included in the e-mail for "Sender Email
Address".
5. Enter the user name and password if the SMTP server prompts you to log in.
6. Under "Security", specify whether transfer to the SMTP server is encrypted.
7. Enable the SMTP server entry.
Note
Depending on the properties and configuration of the SMTP server, it may be necessary
to adapt the "Sender E-Mail Address" input for the e-mails. Check with the administrator
of the SMTP server.
Testing the configuration of the SMTP server

1. Configure recipients
– Click the "Recipient" tab.
– Select the desired SMTP server under "SMTP server".
– Enter the desired address under "E-mail address of the SMTP recipient".
– Click the "Create" button. A new entry is generated in the table. The setting "Send" is
activated by default.
2. Send test e-mail
– Click the "General" tab.
– Click the "Test" button next to the SMTP server entry. The device sends to every
configured recipient
– Check the test result. If sending was not successful, the message contains possible
causes.

4.5 "System" menu
4.5.6.2 Recipient
On this page, you specify who receives an e-mail when an event occurs.
Description
● SMTP Server
Specify the SMTP server via which the e-mail is sent.
● Email address of the SMTP recipient
Enter the e-mail address to which the device sends an e-mail.
● Select
Select the check box in a row to be deleted.
● SMTP Server
Shows the IP address or the FQDN (Fully Qualified Domain Name) of the SMTP server to
which the entry relates.
● Send
When enabled, the device sends an e-mail to this recipient.
● Email address of the SMTP recipient
Shows the e-mail address to which the device sends an e-mail if a fault occurs.

4.5 "System" menu
Procedure
Configuring an SMTP recipient
1. Select the required "SMTP Server".
2. Enter the e-mail address of the SMTP recipient.
4. Activate the "Send" option for the entry.
4.5.7 SNMP
4.5.7.1 General
Configuration of SNMP
On this page, you make the basic settings for SNMP. Enable the check boxes according to
the function you want to use. Note the information in the section "Technical basics".

4.5 "System" menu
Description
● SNMP
Select the SNMP protocol from the drop-down list. The following settings are possible:
– "-" (disabled)
SNMP is disabled.
– SNMPv1/v2c/v3
SNMPv1/v2c/v3 is supported.
Note
Note that SNMP in versions 1 and 2c does not have any security mechanisms.
– SNMPv3
Only SNMPv3 is supported.
● SNMPv1/v2c Read Only
If you enable this option, SNMPv1/v2c can only read the SNMP variables.
Note
Community String
For security reasons, do not use the standard values "public" or "private". Change the
community strings following the initial installation.
The recommended minimum length for community strings is 6 characters.
● SNMPv1/v2c Read Community String

Enter the community string for read access of the SNMP protocol.
● SNMPv1/v2c Read/Write Community String
Enter the community string for read and write access of the SNMP protocol.
● SNMPv1 Traps
Enable or disable the sending of SNMPv1 traps (alarm frames). On the "Trap" tab,
specify the IP addresses of the devices to which SNMPv1 traps will be sent.
● SNMPv1/v2c Trap Community String
Enter the community string for sending SNMPv1/v2c messages.

4.5 "System" menu
● SNMPv3 User Migration

– Enabled
If the function is enabled, an SNMP engine ID is generated that can be migrated. You
can transfer configured SNMPv3 users to a different device.
If you enable this function and load the configuration of the device on another device,
configured SNMPv3 users are retained.
– Disabled
If the function is disabled, a device-specific SNMP engine ID is generated. To
generate the ID, the agent MAC address of the device is used. You cannot transfer
this SNMP user configuration to other devices.
If you load the configuration of the device on another device, all configured SNMPv3
users are deleted.
● SNMP Engine ID
Shows the SNMP engine ID.
Procedure
1. Select the required option from the "SNMP" drop-down list:
– "-" (disabled)
– SNMPv1/v2c/v3
– SNMPv3
2. Enable the "SNMPv1/v2c Read Only" check box if you only want read access to SNMP
variables with SNMPv1/v2c.
3. Enter the required character string in the "SNMPv1/v2c Read Community String" input
box.
4. Enter the required character string in the "SNMPv1/v2c Read/Write Community String"
input box.
5. If necessary, enable the SNMPv3 User Migration.

4.5 "System" menu
4.5.7.2 Traps
SNMP traps for alarm events

If an alarm event occurs, a device can send SNMP traps (alarm frames) to up to ten different
management stations at the same time. Traps are only sent if the events specified in the
"Events" menu occur.
Note
Traps are only sent if you have enabled the option "SNMPv1 Traps" in the "General" tab or
in "System > Configuration".
Description
● Trap Receiver Address
station to which the device sends SNMP traps. You can specify up to ten different
recipients servers.
● Select
● Trap Receiver Address
If necessary, change the IP address, the FQDN (Fully Qualified Domain Name) or the
host name of the stations.
● Trap
Enable or disable the sending of traps. Stations that are entered but not selected do not
receive SNMP traps.

4.5 "System" menu
Procedure
Creating a trap entry
1. In "Trap Receiver Address", enter the IP address, the FQDN or the host name of the
station to which the device will send traps.
2. Click the "Create" button to create a new trap entry.
3. Select the check box in the required row "Trap".
Deleting a trap entry
1. Enable "Select" in the row to be deleted.
2. Click the "Delete" button. The entry is deleted.
4.5.7.3 v3 Groups
Security settings and assigning permissions

SNMP version 3 allows permissions to be assigned, authentication, and encryption at
protocol level. The security level and read/write permissions are assigned according to
groups. The settings automatically apply to every member of a group.
Description
● Group Name
Enter the name of the group. The maximum length is 32 characters.

4.5 "System" menu
● Security Level
Select the security level (authentication, encryption) valid for the selected group. The
available options are as follows:
– No Auth/no Priv
No authentication enabled/no encryption enabled.
– Auth/no Priv
Authentication enabled/no encryption enabled.
– Auth/Priv
Authentication enabled/encryption enabled.
● Select
● Group Name
Shows the defined group names.
● Security Level
Shows the configured security level.
● Read
Enable or disable read access for the required group.
● Write
Enable or disable write access for the required group.
Note
For write access to work, you also need to enable read access.
● Persistence
Shows whether or not the group is assigned to an SNMPv3 user. If the group is not
assigned to an SNMPv3 user, no automatic saving is triggered and the configured group
is deleted after restarting the device.
– Yes
The group is assigned to an SNMPv3 user.
– No
The group is not assigned to an SNMPv3 user.

4.5 "System" menu
Procedure
Creating a new group
1. Enter the required group name in "Group Name".
2. Select the required security level from the "Security Level" drop-down list.
3. Click the "Create" button to create a new entry.
4. Specify the required read rights for the group in "Read".
5. Specify the required write rights for the group in "Write".
Modifying a group
1. Specify the required read rights for the group in "Read".
2. Specify the required write rights for the group in "Write".
Note
Once a group name and the security level have been specified, they can no longer be
modified after the group is created. If you want to change the group name or the security
level, you will need to delete the group and recreate it and reconfigure it with the new
name.
Deleting a group
Repeat this for all groups you want to delete.
2. Click the "Delete" button. The entries are deleted.

4.5 "System" menu
4.5.7.4 v3 users
User-specific security settings

On the WBM page, you can create new SNMPv3 users and modify or delete existing users.
The user-based security model works with the concept of the user name; in other words, a
user ID is added to every frame. This user name and the applicable security settings are
checked by both the sender and recipient.
Description
● User Name
Enter a freely selectable user name. After you have entered the data, you can no longer
modify the name.
● Select
● User Name
Shows the created users.

4.5 "System" menu
● Group Name
Select the group which will be assigned to the user.
● Authentication Protocol
Specify the authentication protocol for which a password will be stored.
The following settings are available:
– None
– MD5
– SHA
● Encryption Protocol
Specify whether or not a password should be stored for encryption with the DES
algorithm. Can only be enabled when an authentication protocol has been selected.
● Authentication Password
Enter the authentication password in the first input box. This password must have at least
1 character, the maximum length is 32 characters.
Note
Length of the password
As an important measure to maximize security, we recommend that the password has a
minimum length of 6 characters and that it contains special characters,
uppercase/lowercase letters, numbers.
● Authentication Password Confirmation

Confirm the password by repeating the entry.
● Privacy Password
Enter your encryption password. This password must have at least 1 character, the
maximum length is 32 characters.
Note
Length of the password
As an important measure to maximize security, we recommend that the password has a
minimum length of 6 characters and that it contains special characters,
uppercase/lowercase letters, numbers.

4.5 "System" menu
● Privacy Password Confirmation

Confirm the encryption password by repeating the entry.
● Persistence
Shows whether or not the user is assigned to an SNMPv3 group. If the user is not
assigned to an SNMPv3 group, no automatic saving is triggered and the configured user
is deleted after restarting the device.
– Yes
The user is assigned to an SNMPv3 group.
– No
The user is not assigned to an SNMPv3 group.
Procedure
Create a new user
1. Enter the name of the new user in the "User Name" input box.
3. In "Group Name", select the group to which the new user will belong.
If the group has not yet been created, change to the "v3 Groups" page and make the
settings for this group.
4. If an authentication is necessary for the selected group, select the authentication
algorithm in "Authentication Protocol".
In the relevant input boxes, enter the authentication password and its confirmation.
5. If encryption was specified for the group, select the algorithm in "Privacy Protocol". In the
relevant input boxes, enter the encryption password and the confirmation.
Delete user
Repeat this for all users you want to delete.

4.5 "System" menu
4.5.8 System Time

There are different methods that can be used to set the system time of the device. Only one
method can be active at any one time.
If one method is activated, the previously activated method is automatically deactivated.
4.5.8.1 Manual Setting
Manual setting of the system time

On this page, you set the date and time of the system yourself. For this setting to be used,
enable "Time Manually".
Description
● Time Manually
Enable or disable the manual time setting. If you enable the option, the "System Time"
input box can be edited.
● System Time
Enter the date and time in the format "MM/DD/YYYY HH:MM:SS".
After a restart, the time of day begins at 01/01/2000 00:00:00
● Use PC Time
Click the button to use the time setting of the PC.
● Last Synchronization Time
Shows when the last time-of-day synchronization took place. If no time-of-day
synchronization was possible, the box displays "Date/time not set".

4.5 "System" menu
● Last Synchronization Mechanism

Shows how the last time synchronization was performed.
– Not set
The time was not set.
– Manual
Manual time setting
– SNTP
Automatic time-of-day synchronization with SNTP
– NTP
Automatic time-of-day synchronization with NTP
– SIMATIC
Automatic time-of-day synchronization using the SIMATIC time frame
● Daylight Saving Time
Shows whether the daylight saving time changeover is active.
– active (offset +1 h)
The system time was changed to daylight saving time; in other words, an hour was
added. You can see the current system time at the top right in the selection area of the
WBM.
The set time continues to be displayed in the "System Time" box.
– inactive (offset +0 h)
The current system time is not changed.
Procedure
1. Enable the "Time Manually" option.
2. Click in the "System Time" input box.
3. In the "System Time" input box, enter the date and time in the format "MM/DD/YYYY
HH:MM:SS".
The date and time are adopted and "Manual" is entered in "Last Synchronization
Mechanism" box.

4.5 "System" menu
4.5.8.2 DST Overview
Daylight saving time switchover

On this page, you can create new entries for the daylight saving time changeover. The table
provides an overview of the existing entries.
Settings
● Select
● DST No.
Shows the number of the entry.
If you create a new entry, a new line with a unique number is created.
● Name
Shows the name of the entry.
● Year
Shows the year for which the entry was created.
● Start Date
Shows the month, day and time for the start of daylight saving time.
● End Date
Shows the month, day and time for the end of daylight saving time.
● Recurring Date
With an entry of the type "Recurring", the period in which daylight saving time is active is
displayed consisting of week, day, month and time of day.
With an entry of the type "Date" a "-" is displayed.

4.5 "System" menu
● Status
Shows the status of the entry:
– Enabled
The entry was created correctly.
– Invalid
The entry was created new and the start and end date are identical.
● Type
Shows how the daylight saving time changeover is made:
– Date
A fixed date is entered for the daylight saving time changeover.
– Recurring
A rule was defined for the daylight saving time changeover.
Procedure
Creating an entry
1. Click the "Create" button.
A new entry is created in the table.
2. Click on the required entry in the "DST No column.
You change to the "DST Configuration" page.
3. Select the required type in the "Type" drop-down list.
Depending on the selected type, various settings are available.
4. Enter a name name in the "Name" box.
5. If you have selected the type "Date", fill in the following boxes.
– Year
– Day (for start and end date)
– Hour (for start and end date)
– Month (for start and end date)
6. If you have selected the type "Recurring", fill in the following boxes.
– Hour (for start and end date)
– Month (for start and end date)
– Week (for start and end date)
– Day (for start and end date)

4.5 "System" menu
Deleting an entry
4.5.8.3 DST Configuration
Configuring the daylight saving time switchover

On this page, you can configure the entries for the daylight saving time changeover. As
result of the changeover to daylight saving or standard time, the system time for the local
time zone is correctly set.
You can define a rule for the daylight saving time changeover or specify a fixed date.
Settings
Note
The content of this page depends on the selection in the "Type" box.
The boxes "DST No.", "Type" and "Name" are always shown.
● DST No.
Select the type of the entry.
● Type
Select how the daylight saving time changeover is made:
– Date
You can enter a fixed date for the daylight saving time changeover.
This setting is suitable for regions in which the daylight saving time changeover is not
governed by rules.
– Recurring
You can define a rule for the daylight saving time changeover.
This setting is suitable for regions in which the daylight saving time always begins or
ends on a certain weekday.
● Name
Enter a name for the entry.
The name can be a maximum of 16 characters long.
Settings with "Date" selected

4.5 "System" menu
You can set a fixed date for the start and end of daylight saving time.
● Year
Enter the year for the daylight saving time changeover.
● Start Date
Enter the following values for the start of daylight saving time:
– Day
Enter the day.
– Hour
Enter the hour.
– Month
Enter the month.
● End Date
Enter the following values for the end of daylight saving time:
– Day
Enter the day.
– Hour
Enter the hour.
– Month
Enter the month.

4.5 "System" menu
Settings with "Recurring" selected
You can create a rule for the daylight saving time changeover.
● Year
Enter the year for the daylight saving time changeover.
● Start Date
Enter the following values for the start of daylight saving time:
– Hour
Enter the hour.
– Month
Enter the month.
– Week
Enter the week.
You can select the first to fourth or the last week of the month.
– Day
Enter the weekday.

4.5 "System" menu
● End Date
Enter the following values for the end of daylight saving time:
– Hour
Enter the hour.
– Month
Enter the month.
– Week
Enter the week.
You can select the first to fourth or the last week of the month.
– Day
Enter the weekday.
4.5.8.4 SNTP Client
Time-of-day synchronization in the network

SNTP (Simple Network Time Protocol) is used for synchronizing the time in the network. The
appropriate frames are sent by an SNTP server in the network.

4.5 "System" menu
Requirement
To receive the SNTP frames, enable the entry "System Time" under "Security > Firewall >
Predefined IPv4 rules".
Description
● SNTP Client
When enabled, the device receives the system time from an SNTP server.
Shows the current date and current normal time received by the IE switch. If you specify
a time zone, the time information is adapted accordingly.
Shows when the last time-of-day synchronization took place.
Shows how the last time synchronization was performed. The following types are
possible:
– Not set
– Manual
Manual time setting
– SNTP
– NTP
– SIMATIC
● Time Zone
In this box, enter the time zone you are using in the format "+/- HH:MM". The time zone
relates to UTC standard world time.
The time in the "Current System Time" box is adapted accordingly.
WBM.

4.5 "System" menu
● SNTP Mode
Select the synchronization mode from the drop-down list. The following types are
possible:
– Poll
If you select this mode, the input boxes "SNTP Server Address", "SNTP Server Port"
and "Poll Interval[s]" are displayed to allow further configuration. With this type of
synchronization, the device is active and sends a time query to the SNTP server.
In this mode, IPv4 and IPv6 addresses are supported.
– Listen
With this type of synchronization, the device is passive and receives SNTP frames
that deliver the time of day. For this mode, create the following firewall rules from
"VLANx" to "Device" manually. In this mode, only IPv4 addresses are supported.
Note
SNTP Client in Listen mode and NTP Server cannot be enabled at the same time.
● Poll Interval[s]
Enter the interval between two time queries. In this box, you enter the polling interval in
seconds. Possible values are 16 to 16284 seconds.
● Select
● SNTP Server Address
SNTP server.
● SNTP Server Port
Enter the port of the SNTP server.
– 1025 to 36564
● Poll Interval[s]
Enter the interval between two time queries. In this box, you enter the polling interval in
seconds. Possible values are 16 to 16284 seconds.
Procedure
1. Click the "SNTP Client" check box to enable the automatic time setting.
2. In "Time Zone", enter the local time difference to world time (UTC).
The input format is "+/-HH:MM" because the NTP server always sends UTC time, for
example +02:00 for CEST, the Central European Summer Time. This time is recalculated
and displayed as the local time based on the specified time zone.

4.5 "System" menu
3. Select one of the following options from the "SNTP Mode" drop-down list:
– Poll
For this mode, you need to configure the following:
- time zone difference (step 2)
- query interval (step 4)
-time server (step 5)
- Port (step 7)
- complete the configuration with step 8.
– Listen
For this mode, you need to configure the following:
- time difference to the time sent by the server (step 2)
- time server (step 5)
- port (step 7)
- complete the configuration with step 8.
4. In "SNTP Server Address", enter the address of the SNTP server whose frames will be
used to synchronize the time of day.
5. In "SNTP Server Port", enter the port via which the SNTP server is available. The port
can only be modified if the IP address of the SNTP server is entered.
6. In "Poll Interval[s]", enter the time in seconds after which a new time query is sent to the
time server.
4.5.8.5 NTP Client
Automatic time-of-day setting with NTP

If time synchronization is to take place via NTP, define the time server that is used to
synchronize the time.

4.5 "System" menu
Requirement
To receive the NTP frames, enable the entry "System Time" under "Security > Firewall >
Description
● NTP client
When enabled, the device receives the system time from an NTP server.
● Secure NTP Client only
When enabled, the device receives the system time from a secure NTP server. The
setting applies to all server entries.
To use the secure NTP client, you configure the parameters for authentication (key ID,
hash algorithm, key).
Shows the current date and current normal time received by the device. If you specify a
time zone, the time information is adapted accordingly.
Shows how the last time synchronization was performed. The following methods are
possible:
– Not set
– Manual
Manual time setting
– SNTP
– NTP
– SIMATIC
– PTP
Automatic time-of-day synchronization with PTP
● Time Zone
Enter the time zone you are using in the format "+/- HH:MM". The time zone relates to
UTC standard world time.
The time in the "Current System Time" box is adapted accordingly.

4.5 "System" menu

WBM.
Select the index of the NTP server. The server with the lowest index is queried first.
In the table, configure the NTP server
● Select
Number corresponding to a specific NTP server entry.
● NTP Server Address
NTP server.
● NTP Server Port
– 1025 to 36564
● Poll Interval
Specify the interval between two-time queries. The greater the interval, the less accurate
the time of the device.
Possible values are 64 to 2592000 seconds (30 days).
The following columns are only relevant for a secure NTP client. If the check box "Secure
NTP Client only" is not selected, these boxes are grayed out:
● Key ID
● Hash Algorithm

4.5 "System" menu
● Key
Enter the authentication key. The length depends on the hash algorithm.
The following minimum lengths are recommended for the hash algorithm:
– MD5: ASCII 16 characters
– SHA1: ASCII 20 characters
● Key confirmation
Repeat the authentication key.
Procedure
Time-of-day synchronization with NTP server
1. Click in the "NTP Client" check box to enable the automatic time setting using NTP.
2. In "Time Zone", enter the local time difference to world time (UTC).
The input format is "+/-HH:MM" because the NTP server always sends UTC time, for
example +02:00 for CEST, the Central European Summer Time. This time is recalculated
and displayed as the local time based on the specified time zone.
3. Select the "NTP Server Index".
A new row is inserted in the table for the NTP server.
5. In "NTP Server Address", enter the address of the NTP server whose frames are used to
synchronize the time of day.
6. In "NTP Server Port", enter the port via which the NTP server is available. The port can
only be modified if the address of the NTP server is entered.
7. In the "Poll Interval" column, enter the interval in seconds after which a new time-of-day
query is sent to the time server.
Time-of-day synchronization via a secure NTP server
To synchronize the time of day via a secure NTP server, the following additional steps are
necessary:
1. Click the "Secure NTP Client only" check box to enable the automatic time setting using
Secure NTP.
2. Configure the authentication.
– In "Key ID" enter the ID of the authentication key.
– In "Hash Algorithm" select the required format.
– In "Key" enter the authentication key.
With these entries, the NTP client authenticates itself with the secure NTP server. These
entries must be present on the secure NTP server.

4.5 "System" menu
4.5.8.6 SIMATIC Time Client
Time setting via SIMATIC time client
Description
● SIMATIC Time Client
Select this check box to enable the device as a SIMATIC time client.
Shows the current system time.
Shows how the last time synchronization was performed. The following methods are
possible:
– Not set
– Manual
Manual time setting
– SNTP
– NTP
– SIMATIC

4.5 "System" menu

WBM.
Procedure
1. Click the "SIMATIC Time Client" check box to enable the SIMATIC Time Client.
4.5.8.7 NTP Server

On this WBM page, you configure the device as an NTP server or as an NTP server of the
type "NTP (secure)". The other devices can call up the time made available by the device via
this NTP server. This means that the supplied devices are not dependent on a connection to
an external time server.
Note
Time synchronization
Also configure the device as NTP client so that it synchronizes the connected devices to a
correct time. As NTP client, the device gets the precise time from an external time server
and as NTP server distributes it to its NTP clients.
Requirement
● To receive the NTP frames, enable the entry "System Time" under "Security > Firewall >

4.5 "System" menu
Description
● NTP Server
Enable or disable the service of the NTP server.
Note
SNTP Client in Listen mode and NTP Server cannot be enabled at the same time.
● Interface
Specify the interface via which the time is transferred using NTP.
● Select
● Interface
Via this interface the time is transferred using NTP.
● Listen
When enabled, the other devices can call up the time via this interface.
● Server Port
– 1025 to 36564
● Secure
When this is enabled, the NTP server becomes an NTP server of the type "NTP
(secure)".
The following columns are only relevant for "NTP (secure)". Otherwise, these boxes cannot
be edited:
● Key ID
● Hash Algorithm
● Key
Enter the authentication key. The length depends on the hash algorithm.
The following minimum lengths are recommended for the hash algorithm:
– MD5: ASCII 16 characters
– SHA1: ASCII 20 characters
● Key Confirmation
Enter the authentication key for confirmation.
● Status
Shows whether or not the interface is active.

4.5 "System" menu
4.5.9 Auto Logout
Setting the automatic logout

On this page, set the times after which there is an automatic logout from the WBM or the CLI
following user inactivity.
If you have been logged out automatically, you will need to log in again.
Note
No automatic logout from the CLI
If the connection is not terminated after the set time, check the "Keep alive" setting on the
Telnet client.
If the interval for "Keep alive" is shorter than the configured time, the connection is
maintained although no user data is transferred. You have set, for example, 300 seconds for
the automatic logoff and the "Keep alive" function is set to 120 seconds. In this case, a
packet is sent every 120 seconds that keeps the connection uninterrupted.
• Turn off the "Keep alive" (interval time=0)
or
• Set the interval high enough so that the underlying connection is terminated when there is
inactivity.
Procedure
1. Enter a value of 60-3600 seconds in the "Web Base Management [s]" input box. If you
enter the value 0, the automatic logout is disabled.
2. Enter a value of 60-600 seconds in the "CLI (TELNET, SSH) [s]" input box. If you enter
the value 0, the automatic logout is disabled.

4.5 "System" menu
4.5.10 Button
Functionality
The SELECT/SET button is used to:
● Restart
● Load new firmware
● Reset to factory settings.
You will find a detailed description of the functions in the operating instructions for the
device.
On this page, the functionality of the button can be restricted.
Description
The following functionality is possible:
● Restart / Restore Factory Defaults
When disabled, the SELECT/SET button cannot be used for a restart or to restore factory
settings.
CAUTION
Button function "Restart / Restore Factory Defaults" active during startup
If you have disabled this function in your configuration, disabling is only valid during
operation. When restarting, for example after power off, the function is active until the
configuration is loaded and the device can therefore inadvertently be reset to the factory
settings. This may cause unwanted disruption in network operation since the device
then needs to be reconfigured. An inserted PLUG is also deleted and returned to the
status as shipped.
You will find more information on how to restore the device to the factory defaults despite
disabled functions in the section "Upkeep and maintenance (Page 317)".

4.5 "System" menu
4.5.11 Syslog client

Syslog according to RFC 3164 is used for transferring short, unencrypted text messages
over UDP in the IP network. This requires a Syslog server.
Requirements for sending log entries

● The Syslog function is enabled on the device.
● The Syslog function is enabled for the relevant event.
● There is a Syslog server in your network that receives the log entries. Since this is a UDP
connection, there is no acknowledgment to the sender.
● The IP address of the Syslog server is entered on the device.
Description
● Syslog Client
Enable or disable the Syslog function.
● Syslog Server Address
Enter the IP address of the Syslog server.
This table contains the following columns
● Select
● Syslog Server Address
Shows the IP address of the Syslog server.
● Server Port
Enter the port of the Syslog server being used.

4.5 "System" menu
Procedure
Enabling function
1. Select the "Syslog Client" check box.
Creating a new entry
1. In the "Syslog Server Address" input box, enter the IP address of the Syslog server on
which the log entries will be saved.
2. Click the "Create" button. A new row is inserted in the table.
3. In the "Server Port" input box, enter the number of the UDP port of the server.
Note
The default setting of the server port is 514.
Changing the entry

1. Delete the entry.
2. Create a new entry.
Deleting an entry
1. Select the check box in the row to be deleted.
2. Click the "Delete" button. All selected entries are deleted and the display is refreshed.

4.5 "System" menu
4.5.12 Fault Monitoring
4.5.12.1 Link Change
Configuration of fault monitoring of status changes on connections

On this page, you configure whether or not an error message is triggered if there is a status
change on a network connection.
If connection monitoring is enabled, an error is signaled
● when there should be a link on a port and this is missing.
● or when there should not be a link on a port and a link is detected.
A fault causes the fault LED on the device to light up and, depending on the configuration,
can trigger a trap, an e-mail, or an entry in the event log table.
Description
● 1st column
Shows that the settings are valid for all ports.
● Setting
Select the setting from the drop-down list. You have the following setting options:
– "-" (disabled)
– Up
– Down
– No Change: The setting in table 2 remains unchanged.

4.5 "System" menu
● Copy to Table
If you click the button, the setting is adopted for all ports of table 2.
● Port
Shows the available ports and link aggregations. The port is made up of the module
number and the port number, for example port 0.1 is module 0, port 1.
● Setting
Select the setting from the drop-down list. You have the following options:
– Up
Error handling is triggered when the port changes to the active status.
(From "Link down" to "Link up")
– Down
Error handling is triggered when the port changes to the inactive status.
(From "Link up" to "Link down")
– "-" (disabled)
The error handling is not triggered.
Procedure
Configure error monitoring for a port
1. From the relevant drop-down list, select the options of the slots / ports whose connection
status you want to monitor.
Configure error monitoring for all ports
1. Select the required setting from the drop-down list of the "Setting"column.
2. Click the "Copy to table" button. The setting is adopted for all ports of table 2.

4.5 "System" menu
4.5.13 PLUG
NOTICE
detected that the PLUG was removed, there is a restart. If a valid KEY-PLUG was inserted
in the device, the device changes to a defined error state following the restart. With
SCALANCE M, the available wireless interfaces are deactivated in this case.
If the device was configured at some time with a PLUG, the device can no longer be used
without this PLUG. To be able to use the device again, reset the device to the factory
settings.
Information about the configuration of the KEY-PLUG

This page provides detailed information about the configuration stored on the C-PLUG. It is
also possible to reset the PLUG to "factory defaults" or to load it with new contents.
Note
Incompatibility with previous versions with PLUG inserted
During the installation of a previous version, the configuration data can be lost. In this case,
the device starts up with the factory settings after the firmware has been installed. In this
situation, if a PLUG is inserted in the device, following the restart, this has the status "Not
Accepted" since the PLUG still has the configuration data of the previous more up-to-date
firmware. This allows you to return to the previous, more up-to-date firmware without any
loss of configuration data.
If the original configuration on the PLUG is no longer required, the PLUG can be deleted or
rewritten manually using "System > PLUG".
Note
The action is only executed after you click the "Set Values" button.
The action cannot be undone.
If you decide against executing the function after making your selection, click the "Refresh"
button. As a result the data of this page is read from the device again and the selection is
canceled.

4.5 "System" menu
Description
The table has the following rows:
● Status
Shows the status of the PLUG. The following are possible:
– ACCEPTED
There is a PLUG with a valid and suitable configuration in the device.
– NOT ACCEPTED
Invalid or incompatible configuration on the inserted PLUG.
– NOT PRESENT
There is no C-PLUG or KEY-PLUG inserted in the device.
– FACTORY
PLUG is inserted and does not contain a configuration. This status is also displayed
when the PLUG was formatted during operation.
– MISSING
There is no PLUG inserted. Functions are configured on the device for which a license
is required.
● Device Group
Shows the SIMATIC NET product line that used the C-PLUG or KEY-PLUG previously.

4.5 "System" menu
● Device Type
Shows the device type within the product line that used the C-PLUG or KEY-PLUG
previously.
● Configuration Revision
The version of the configuration structure. This information relates to the configuration
options supported by the device and has nothing to do with the concrete hardware
configuration. This revision information does not therefore change if you add or remove
additional components (modules or extenders), it can, however, change if you update the
firmware.
● File System
Displays the type of file system on the PLUG.
● File System Size
Displays the maximum storage capacity of the file system on the PLUG.
● File System Usage
Displays the memory utilization of the file system of the PLUG.
● Firmware on PLUG (as of firmware version 4.3)
When enabled, the firmware will be stored on the PLUG. This means that automatic
firmware updates/downgrades can be made with the PLUG.
● Info String
Shows additional information about the device that used the PLUG previously, for
example, article number, type designation, and the versions of the hardware and
software. The displayed software version corresponds to the version in which the
configuration was last changed. With the "NOT ACCEPTED" status, further information
on the cause of the problem is displayed.
If a PLUG was configured as a PRESET PLUG this is shown here as additional
information in the first row. For more detailed information on creating and using a
PRESET PLUG refer to the section "Maintenance".
● Modify PLUG
Select the setting from the drop-down list. You have the following options for changing
the configuration on the C-PLUG or KEY-PLUG:
– Write Current Configuration to the PLUG
This option is available only if the status of the PLUG is "NOT ACCEPTED" or
"FACTORY".
The configuration in the internal flash memory of the device is copied to the PLUG.
– Erase PLUG to factory default
Deletes all data from the PLUG and triggers low-level formatting.
Procedure
1. You can only make settings in this box if you are logged on as "Administrator". Here, you
decide how you want to change the content of the PLUG.
2. Select the required option from the "Modify PLUG" drop-down list.

4.5 "System" menu
4.5.13.2 License
NOTICE
detected that the PLUG was removed, there is a restart. If a valid KEY-PLUG was inserted
in the device, the device changes to a defined error state following the restart. With
SCALANCE M, the available wireless interfaces are deactivated in this case.
If the device was configured at some time with a PLUG, the device can no longer be used
without this PLUG. To be able to use the device again, reset the device to the factory
settings.
Note
Incompatibility with previous versions with PLUG inserted
During the installation of a previous version, the configuration data can be lost. In this case,
the device starts up with the factory settings after the firmware has been installed. In this
situation, if a PLUG is inserted in the device, following the restart, this has the status "NOT
ACCEPTED" since the PLUG still has the configuration data of the previous more up-to-date
firmware. This allows you to return to the previous, more up-to-date firmware without any
loss of configuration data.
If the original configuration on the PLUG is no longer required, the PLUG can be deleted or
rewritten manually using "System > PLUG".

4.5 "System" menu
Information about the license of the KEY-PLUG

A C-PLUG can only store the configuration of a device. In addition to the configuration, a
KEY-PLUG also contains a license that enables certain functions of your SIMATIC NET
device.
This page provides detailed information about the license on the KEY-PLUG.
Description
● Status
Shows the status of the KEY-PLUG. The following are possible:
– ACCEPTED
There is a KEY-PLUG with a valid and matching license in the device.
– NOT ACCEPTED
The license of the inserted KEY-PLUG is not valid.
– NOT PRESENT
No KEY-PLUG is inserted in the device.
– MISSING
There is no KEY-PLUG inserted with the "FACTORY" status. Functions are configured
on the device for which a license is required.
– WRONG
The inserted KEY-PLUG is not suitable for the device.
– UNKNOWN
Unknown content of the KEY-PLUG.
– DEFECTIVE
The content of the KEY-PLUG contains errors.
● Order ID
Shows the order ID of the KEY-PLUG. The KEY-PLUG is available for various functional
enhancements and for various target systems.

4.5 "System" menu
● Serial Number
Shows the serial number of the KEY-PLUG.
● Info String
Shows additional information about the device that used the KEY-PLUG previously, for
example, article number, type designation, and the versions of the hardware and
software. The displayed software version corresponds to the version in which the
configuration was last changed. With the "NOT ACCEPTED" status, further information
on the cause of the problem is displayed.
Note
When you save the configuration, the information about whether or not a KEY-PLUG was
inserted in the device at the time is also saved. This configuration can then only work if a
KEY-PLUG with the same order number / license is inserted.

4.5 "System" menu
4.5.14 Ping
Reachability of an address in an IPv4 network

With the ping function, you can check whether a certain IPv4 address is reachable in the
network.
Description
● Destination Address
Enter the IPv4 address or the FQDN of the device.
● Repeat
Enter the number of ping requests.
● Ping
Click this button to start the ping function.
● Ping Output
This box shows the output of the ping function.
● Clear
Click this button to empty the "Ping Output" box.

4.5 "System" menu
4.5.15 DCP Discovery

On this page you can select an interface and search for devices that are reachable via the
interface. The reachable devices are listed in a table. In the table you can check and adapt
the network parameters of the devices. To identify and configure the devices the Discovery
Configuration Protocol (DCP) is used.
Note
DCP Discovery
The function is only available with the VLAN associated with the TIA interface. You can
configure the TIA interface with "Layer 3 > Subnets > Configuration".
Requirement:
To adapt network parameters, DCP requires write access to the device. If access is write-
protected, the network parameters cannot be configured.
On the SCALANCE devices you configure the access in "System > Configuration".
Description
● Interface
Select the required interface.
● Discover
Starts the search for devices reachable via the selected interface.
On completion of the search the reachable devices are listed in the table. The table is
limited to 100 entries.

4.5 "System" menu

● Port
Shows the port via which the device can be reached.
● MAC Address
Shows the MAC address of the device.
● Device Type
Shows the product line or product group to which the device belongs.
● Device Name
If the device supports this function, you can assign a new PROFINET device name to the
device.
● IP Address
If necessary, adapt the IPv4 address of the device.
The IPv4 address should be unique within your network and should match the network.
The IPv4 address 0.0.0.0 means that no IPv4 address has yet been set.
● Subnet mask
If necessary, adapt the subnet mask of the device.
● Gateway Address
If necessary, specify the IPv4 address of the gateway.
● Status Device Name
– Discovered: The set device name is used.
– Configured: The device was assigned a new device name.
● Status IP Address
– Discovered/IP: The device uses a static IPv4 address.
– Discovered/DHCP: The device has obtained the IPv4 address from a DHCP server.
– Configured: The device was assigned a new IPv4 address.
● Timeout
Specify the time for flashing. When the time elapses, flashing stops.
● Flash
Makes the port LEDs of the selected device flash.

4.5 "System" menu
Procedure
1. Select the TIA interface.
2. To show all devices that can be reached via the TIA interface, click the "Browse" button.
3. Adapt the desired properties.
The status of the modified properties changes to "Configured".
5. To ensure that the properties were applied correctly, click the "Browse" button again.
The status of the modified properties changes to "Discovered".
4.5.16 DNS
4.5.16.1 DNS Client

On the WBM page you specify whether or not the device uses the DNS server of the network
provider or another DNS server.

4.5 "System" menu
Description
● DNS client
Enable or disable depending on whether the device should operate as a DNS client.
● Used DNS Servers
Specify which DNS server the device uses:
– learned only
The device uses only the DNS servers assigned by DHCP.
– manual only
The device uses only the manually configured DNS servers. The DNS servers must
be connected to the Internet. A maximum of two DNS servers can be configured.
– all
The device uses all available DNS servers.

4.5 "System" menu
● DNS Server Address

Enter the IP address of the DNS server.
● Select
Activate the check box in the row to be deleted
● DNS Server Address
Shows the IP address of the DNS server.
● Origin
Shows whether the DNS server was configured manually or was assigned by DHCP.
4.5.16.2 DNS Proxy

The device provides a DNS server for the local network. If you enter the IP address of the
device in the local application as a DNS server, then the device answers the DNS requests
from its cache.
If the device does not know the IP address for a domain address, it forwards the query to an
external DNS server. How long the device keeps a domain address in the cache depends on
the host being addressed. In addition to the IP address, a DNS request to an external DNS
server also supplies the life span of this information.
Description
● Enable DNS Proxy
Enable or disable the proxy of the DNS server.
● Cache Name Errors (NXDOMAIN)
Enable or disable the caching of NXDOMAIN replies. If you enable the option, the domain
names that were unknown to the DNS server remain in the cache.

4.5 "System" menu
4.5.16.3 DDNS Client

The DDNS (Dynamic Domain Name System) is an Internet service that allows a fixed
hostname to be set up as a pseudonym for a dynamically changing IP address.
The DDNS client synchronizes the assigned IP address with the hostname registered at the
DDNS provider. This means that the device can always be reached using the same
hostname.
Description
● Service
Shows which providers are supported.
● Enabled
When enabled, the device logs on to the DDNS server.
● Host
Enter the host name that you have agreed with your DDNS provider for the device, e.g.
example.no-ip-com.
● User Name
Enter the user name with which the device logs on to the DDNS server.
● Password
Enter the password assigned to the user.

4.5 "System" menu
Procedure
Requirement:
● User name and password that gives you the right to use the DDNS service.
● Registered hostname, e.g. example.no-ip.com
● UDP port 53 for DNS is enabled and is not used for NAT.
1. In "Host", enter the hostname that you have agreed with your DDNS provider for the
device, e.g. example.no-ip-com.
2. Enter the login data (user name, password) for the DDNS server.
3. Select "Enabled". This hostname is used for the device.
4. Click on "Set Values".
4.5.17 DHCP
4.5.17.1 DHCP Client

If the device is configured as a DHCP client, it starts a DHCP request. As the reply to the
query the device receives an IPv4 address from the DHCP server. The server manages an
address range from which it assigns IPv4 addresses. It is also possible to configure the
server so that the client always receives the same IPv4 address in response to its request.
Description
● Keep Alive
When this is enabled, the IP address is retained in the event of a connection breakdown
and is not reset to 0.0.0.0. Keep Alive is enabled by default. When Keep Alive is disabled,
the IP address is reset to 0.0.0.0 in the event of a communication breakdown.
● DHCP Client Configuration Request (Opt. 66, 67)
When enabled, the DHCP client uses the options to download the configuration file

4.5 "System" menu
(option 67) from the TFTP server (option 66). After the restart, the device uses the data
from the configuration file.
Note
Configuration file and firmware version
The configuration file is used to store and read in configuration data within a firmware
version, e.g. 4.3. Configuration files created with a firmware version <4.2 cannot be read
in to a device with a firmware version 4.3.
● DHCP Mode
Specify the type of identifier with which the DHCP client logs on with its DHCP server.
– via MAC Address
Identification is based on the MAC address.
– via DHCP Client ID
Identification is based on a freely defined DHCP client ID.
– via System Name
Identification is based on the system name. If the system name is 255 characters long,
the last character is not used for identification.
– via Iaid and Duid
With this the DHCP client can log on with DHCP servers that support parallel
operation of IPv4 and IPv6.
The identification is via the IAID and the DUID and identifies precisely one IP interface
of the device.
IAID (Interface Association Identifier): At least one IAID is generated for each IP
interface The IAID remains unchanged when the DHCP client restarts
DUID (DHCP Unique Identifier): Uniquely identifies server and clients and applies to
all IP interfaces of the device. The DUID remains unchanged when there is a restart.
Note
DHCP mode "via PROFINET device name"
With firmware version 5.0, the setting "via PROFINET device name" was removed.

● Interface
Interface to which the setting relates.
● DHCP
Enable or disable the DHCP client for the relevant interface.
● IAID Value
Value with which the interface (DHCP client) identifies itself with the DHCP server.

4.5 "System" menu
Procedure
Follow the steps below to configure the IP address using the DHCP client ID:
1. Select the identification method in the "DHCP Mode" drop-down list.
If you select the DHCP mode "via DHCP Client ID" an input box appears.
In the enabled input box "DHCP client ID" enter a string to identify the device. This is then
evaluated by the DHCP server.
2. Select the "DHCP Client Configuration Request (Opt. 66, 67)", if you want the DHCP
client to use options 66 and 67 to download and then enable a configuration file.
3. Enable the "DHCP" option in the table.
Note
If a configuration file is downloaded, this can trigger a system restart. If the currently
running configuration and the configuration in the downloaded configuration file differ, the
system restarts.
Make sure that the option "DHCP Client Configuration Request (Opt. 66, 67)" is no longer
set.
4.5.17.2 DHCP Server

You can operate the device as a DHCP server. This allows IP addresses to be assigned
automatically to the connected devices. The IP addresses are either distributed dynamically
from an address band (pool) you have specified or a specific IP address is assigned to a
particular device.
On this page, specify the address band from which the device receives any IP address. You
configure the static assignment of the IP addresses in "Static Leases".
Requirement
● The connected devices are configured so that they obtain the IP address from a DHCP
server.

4.5 "System" menu
Description
● DHCP Server
Enable or disable the DHCP server on the device.
Note
To avoid conflicts with IPv4 addresses, only one device may be configured as a DHCP
server in the network.
● Probe address with ICMP echo before offer

When selected, the DHCP server checks whether or not the IP address has already been
assigned. To do this the DHCP server sends ICMP echo messages (ping) to the IPv4
address. If no reply is received, the DHCP server can assign the IPv4 address.
Note
If there are devices in your network on which the echo service is disabled as default,
there may be conflicts with the IPv4 addresses. To avoid this, assign these devices an
IPv4 address outside the IPv4 address band.

● Select
Select the check box in the row to be deleted.
● Pool ID
Shows the number of the IPv4 address band. If you click the "Create" button, a new row
with a unique number is created (pool ID).
● Interface
Select a VLAN IP interface. The IPv4 addresses are assigned dynamically via this
interface.
The requirement for the assignment is that the IPv4 address of the interface is located in
the subnet of the IPv4 address band. If this is not the case, the interface does not assign
any IPv4 addresses.
● Enable
Specify whether or not this IPv4 address band will be used.
Note
If you enable the IPv4 address band, its settings in this and the other DHCP tabs are
grayed out and can no longer be edited.
● Subnet
Enter the network address range that will be assigned to the devices. Use the CIDR
notation.

4.5 "System" menu
● Lower IP Address
Enter the IPv4 address that specifies the start of the dynamic IPv4 address band. The
IPv4 address must be within the network address range you configured for "Subnet".
● Upper IP address
Enter the IPv4 address that specifies the end of the dynamic IPv4 address band. The
IPv4 address must be within the network address range you configured for "Subnet".
● Lease Time (sec)
Specify for how many seconds the assigned IPv4 address remains valid. When half the
period of validity has elapsed. the DHCP client can extend the period of the assigned
IPv4 address. When the entire time has elapsed, the DHCP client needs to request a new
IPv4 address.

4.5 "System" menu
4.5.17.3 DHCP Options

On this page you specify which DHCP options the DHCP server supports. The various
DHCP options are defined in RFC 2132.
Description
● Pool ID
Select the required address band.
● Option Code
Enter the number of the required DHCP option.
Note
DHCP options supported
The DHCP options 1, 2, 3, 4, 5, 6, 42, 66, 67 are supported.
The DHCP options 1, 3, 6, 66 and 67 are created automatically when the IPv4 address
band is created. With the exception of option 1, the options can be deleted.
● Select
Select the check box in the row to be deleted
● Pool ID
Shows the number of the address band.
● Option Code
Shows the number of the DHCP option.

4.5 "System" menu
● Use Interface IP
Specify whether or not the internal IP address of the device will be used.
● Value
Enter the DHCP parameter that is transferred to the DHCP client. The content depends
on the DHCP option.
Value Option name

1 Subnet Mask The subnet mask is entered Option cannot be deleted.
automatically.
2 Offset time Offset time to the coordinated Enter the offset time in seconds in
universal time UTC. hexadecimal format.
3 Router The IPv4 address for router in You can specify several IPv4 ad-
the subnet of the DHCP client. If dresses separated by commas.
the device itself is the router, the
IPv4 address of the interface is
used.
4 Time server The IPv4 address of the time
server available to the DHCP
client.
5 Name server The IPv4 address of the name
client.
6 DNS Server The IPv4 address of the DNS
client.
If the device itself is the DNS
server, the IPv4 address of the
interface is used.
42 NTP Server The IPv4 address of the NTP
client.
66 TFTP server The IPv4 address or the host- Enter the address of the TFTP server.
name of the TFTP server availa-
ble to the DHCP client.
67 Name of the The name of the boot file that Enter the name of the boot file in the
boot file the client downloads from the string format.
TFTP server.

4.5 "System" menu
4.5.17.4 Static Leases

On this page you specify that certain devices will be assigned a certain IP address. The
address assignment is made based on the MAC address, the client ID or the DUID.
Description
● Pool ID
Select the required address band.
● Client Identification Method
Select the method according to which a client is identified.
– Ethernet MAC
Identification is based on the MAC address. Enter the MAC address in "Value". A
MAC address consists of six byes separated by hyphens in hexadecimal notation, e.g.
00-ab-1d-df-b4-1d.
– Client ID
Identification is based on a freely defined DHCP client ID. Enter the required
designation in "Value".
– DUID
Identification is based on the DUID and IAID. Enter the required designation in "Value"
e.g. 00-00-01-C2-00-01-00-01-00-00-00-72-00-1B-1B-B6-32-9D.
● Value
Enter the required value. The entry depends on the selected identification method of the
client.
Note
A maximum of 20 entries are possible.

4.5 "System" menu

● Select
● Pool ID
Shows the number of the address band.
● Identification Method
Shows the method with which the client identifies itself with the DHCP server.
● Value
Shows the MAC address or client ID or DUID of the client.
● IP Address
Specify the IPv4 address that will be assigned to the client. The IPv4 address must be
within the address band.
4.5.18 cRSP / SRS
Note
Common Remote Service Platform (cRSP) / Siemens Remote Service (SRS) is a remote
maintenance platform via which remote maintenance access is possible.
To use the platform, additional service contracts are necessary and certain constraints must
be kept to. If you are interested in cRSP / SRS, call your local Siemens contact or visit Web
page (https://support.industry.siemens.com/cs/gb/en/sc/2281).
On this page, you configure the access data for the SRS / cRSP acc. to URI syntax. The
Uniform Resource Identifier (URI) is defined in RFC 3986.

4.5 "System" menu
Description
● Enable DDNS for cRSP / SRS
Enable or disable the use of cRSP / SRS.
● Update Interval
Enter the time interval.
● Validate Server Certificate
When enabled, the device checks the validity of the received server certificate.
● Index
The number of the entry.
● Select
● Scheme
Identifies the access method and the resource type.
https: Secure access to a Web page.
● Authority
Contains the address of the destination server
● Path
Contains the target path to the resource. The target path can correspond to a directory
name or file name.
● Query
A query can contain parameter values for an application.
– WAN_IP (keyword): Replaces WAN_IP with current external IP address of the device
to the destination server.
● Frag.
Addresses local parts of the resource, e.g. the anchor attribute of a Web page.
● Status
Shows the status of the last cRSP / SRS access of the entry.
● Enabled
When enabled, this entry is used.

4.5 "System" menu
4.5.19 Proxy Server

On this WBM page, you configure the proxy server that is used by various components, for
example SINEMA RC.
Description
● Proxy Name
Enter a name for the proxy server.
● Select
● Name
Shows the name of the proxy server.
● Address
Enter the IPv4 address of the proxy server.
● Type
Specify the type of the proxy server.
– HTTP: Proxy server only for access using HTTP.
– SOCKS: Universal proxy server
● Port
Enter the port on which the proxy service runs.
● Auth. Method
Specify the authentication method.
– None
Without authentication
– Basic
Standard authentication. User name and password are sent unencrypted.
– NTLM (NT LAN Manager)
Authentication according to the NTLM standard (Windows user logon)

4.5 "System" menu
● User Name
Enter the user name for access to the proxy server.
● Password
Enter the password for access to the proxy server.
Enter the password again to confirm it.
4.5.20 SINEMA RC
On the WBM page, you configure the access to the SINEMA RC server.
Note
This function can only be used with a KEY PLUG (Page 25).

4.5 "System" menu
Description
The page contains the following:
● Enable SINEMA RC
– Enabled:
A connection to the configured SINEMA RC Server is established. These boxes
cannot be edited.
– Disabled:
The boxes can be edited. Any existing connection is terminated.
"Server settings" area
● SINEMA RC Address
Enter the IPv4 address or the DNS host name of the SINEMA RC Server.
● SINEMA RC Port
Enter the port via which the SINEMA RC Server can be reached.
"Server Verification" area
● Verification Type
– Fingerprint: The identity of the server is verified based on the fingerprint.
– CA certificate: The identity of the server is verified based on the CA certificate.
● Fingerprint
Only necessary with the setting "Fingerprint". Enter the fingerprint of the device. The
fingerprint is assigned during commissioning of the SINEMA RC Server. Based on the
fingerprint, the device checks whether the correct SINEMA RC Server is involved. You
will find further information on this in the Operating Instructions of the SINEMA RC
Server.
● CA Certificate
Only necessary with the setting "CA Certificate". Select the CA certificate of the server
used to sign the server certificate. Only loaded CA certificates can be selected.
"Device Credentials" area
● Device ID
Enter the device ID. The device ID is assigned when configuring the device on the
● Device Password
Enter the password with which the device logs on to the SINEMA RC Server. The
password is assigned when configuring the device on the SINEMA RC Server. You will
find further information on this in the Operating Instructions of the SINEMA RC Server.
● Device Password Confirmation

4.5 "System" menu
"Optional Settings" area

● Auto Firewall/NAT Rules
– Enabled
The firewall and NAT rules are created automatically for the VPN connection. The
connections between the configured exported subnets and the subnets that can be
reached via the SINEMA RC Server are allowed. The NAT settings are implemented
as configured in the SINEMA RC Server.
– Disabled
You will need to create the firewall and NAT rules yourself.
Note
Cloud Connector via SINEMA RC (only with SCALANCE M804PB)
• Standard port 9023
The firewall rule is created automatically for the standard port. Communication with
the TIA Portal Cloud Connector is possible via this port.
• Any port
If you change the standard port, you must configure the following firewall rule:
Security > Firewall > IP service:
– Service name: "SINEMARC“
– Transport: TCP
– Source port: *
– Destination port: Port of the TIA Portal Cloud Connector, see "System > Cloud
Connector"
Security > Firewall > IP rules:
– Protocol: IPv4
– Action: Accept
– From: SINEMA RC
– To: Device
– Source (Range): SINEMA RC Address
– Destination (Range): 0.0.0.0/0
– Services: SINEMARC
● Type of connection
Specify the type of VPN connection. For more detailed information, refer to the section
"VPN connection establishment".
– Auto
The device adopts the settings of the SINEMA RC Server. You configure the settings
on the SINEMA RC Server in "Remote connections > Devices". You will find further
information on this topic in the operating instructions "SINEMA RC Server".
– Permanent
The settings of the SINEMA RC Server are ignored. The device establishes a VPN
connection to the SINEMA RC Server. The VPN tunnel is established permanently
– Wake-up SMS (only with M87x)

4.5 "System" menu
The settings of the SINEMA RC Server are ignored. When the device receives a
command SMS message (wake-up SMS message), it attempts to establish a
connection to the SINEMA RC Server. On condition that in "System > SMS > SMS
Command" it is specified who a command SMS of the class "System" will be accepted
from.
– Digital Input
The settings of the SINEMA RC Server are ignored. If the "Digital In" event occurs, the
device attempts to establish a VPN connection to the SINEMA RC Server. This is on
condition that the event "Digital Input" is forwarded to the VPN connection. To do this
in "System > Events> Configuration" activate "VPN Tunnel" for the "Digital In" event.
– Digital In & Wake-up SMS (only with M87x)
The settings of the SINEMA RC Server are ignored. If the "Digital In" event occurs or
when the device receives an SMS command, it attempts to establish a VPN
connection to the SINEMA RC Server.
● Use Proxy
Specify whether a connection to the defined SINEMA RC Server is established via a
proxy server. Only the proxy servers can be selected that you configured in "System >
Proxy Server".
● Autoenrollment Interval [min]
Specify the period of time in minutes after which queries are sent to the SINEMA RC
Server. With this query, the device checks whether there is a newer firmware file on the
SINEMA RC server or whether the connection settings have changed.
If you enter the value 0, this function is disabled.

4.6 "Interfaces" menu
4.6.1 Ethernet
4.6.1.1 Overview
The page shows the configuration for the data transfer for all ports of the device. You cannot
configure anything on this page.
Description
● Port
Shows the configurable ports. The entry is a link. If you click on the link, the
corresponding configuration page is opened.
● Port Name
Shows the name of the port.
● Port Type (only with routing)
Shows the type of the port. The following types are possible:
– Switch Port VLAN Hybrid
– Switch Port VLAN Trunk
● Status
Shows whether the port is on or off. Data traffic is possible only over an enabled port.

● OperState
Displays the current operational status. The operational status depends on the configured
"Status" and the "Link". The available options are as follows:
– Up
You have configured the status "enabled" for the port and the port has a valid
connection to the network.
– Down
You have configured the status "disabled" or "Link down" for the port or the port has
no connection.
● Link
Shows the connection status to the network. With the connection status, the following is
possible:
– Up
The port has a valid link to the network, a link integrity signal is being received.
– Down
The link is down, for example because the connected device is turned off.
● Mode
Shows the transfer parameters of the port.
● Negotiation
Shows whether the automatic configuration is enabled or disabled.
● MAC Address
Shows the MAC address of the port.

Configuring ports
With this page, you can configure all the ports of the device.
Description
● Port
Select the port to be configured from the drop-down list.
● Status
Specify whether the port is enabled or disabled.
– enabled
The port is enabled. Data traffic is possible only over an enabled port.
– disabled
The port is disabled but the connection remains.
Note
Turn off unused ports.
– link down
The port is disabled and the connection to the partner device is terminated.
● Port Name
Here, enter a name for the port.

● MAC Address
Shows the MAC address of the port.
● Mode Type
From this drop-down list, select the transmission speed and the transfer mode of the port.
The following settings are possible:
– 10 Mbps full duplex (FD) or half duplex (HD)
– 100 Mbps full duplex (FD) or half duplex (HD)
– Auto negotiation
If you set the mode to "Auto negotiation", these parameters are automatically negotiated
with the connected end device or network component. This must also be in the
"Autonegotiation" mode.
Note
Before the port and partner port can communicate with each other, the settings must
match at both ends.
● Mode
Shows the transmission speed and the transmission mode of the port. The display
depends on the set "Mode Type".
● Negotiation
Shows whether the automatic configuration of the connection to the partner port is
enabled or disabled.
● Port Type
Select the type of port from the drop-down list.
– Switch Port VLAN Hybrid
The port sends tagged and untagged frames. It is not automatically a member of a
VLAN.
– Switch-Port VLAN Trunk
The port only sends tagged frames and is automatically a member of all VLANs.

● OperState
Displays the current operational status. The operational status depends on the configured
"Status" and the "Link". The available options are as follows:
– Up
You have configured the status "enabled" for the port and the port has a valid
connection to the network.
– Down
You have configured the status "disabled" or "Link down" for the port or the port has
no connection.
● Link
Shows the physical connection status to the network. The available options are as
follows:
– Up
The port has a valid link to the network, a link integrity signal is being received.
– Down
The link is down, for example because the connected device is turned off.
4.6.2 PPP
4.6.2.1 Overview
This page shows the current status of the PPP connection.

● Interface
Shows the PPP interface. The entry is a link. If you click on the link, the corresponding
configuration page is opened.
● Name
Shows the name of the PPP interface.

● Type
Shows the protocol of the PPP connection.
● Operation
Shows whether the PPP connection is activated or deactivated.
● Status
Shows the status of the PPP connection.
– Ready
The PPP connection can be configured and enabled.
– Connecting
The PPP connection is configured, enabled and the connection is being established.
– Connected
The PPP connection is established.
– Error
Error status in which operator intervention is required, e.g. wrong password.
On this page, you configure the PPP connection. The point-to-point protocol (PPP) allows
the connection of an external ADSL modem to an Ethernet interface and via this then a
connection to the Internet. The interface is also called PPP interface.
The device acts as a router and logs in with the user name and password. All connected
devices can use the PPP connection.

Description
● Interface
Select the PPP interface to be configured.
● Name
Shows the name of the PPP interface. You can change the name in "Layer 3 > Subnets".
● Type
Specify the protocol for the PPP connection.
– PPPoE (Point-to-Point over Ethernet)
The PPP data is encapsulated in an Ethernet frame.
● Operation
Specify whether the PPP connection is activated or deactivated.
● L2 Interface
Specify the interface via which the PPP connection is established. Only VLANs with a
configured subnet can be selected.
● User Name
Enter the user name. You will receive the user name from the DSL provider.
● Password
Enter the password. You will receive the password from the DSL provider.
● Forced Disconnect
After a certain time, the DSL provider terminates the connection. Enable this option if you
want to shift the forced disconnect of your provider to a specific time of day, for example
at night outside normal office hours.
● Time for Forced Disconnect
Specify the time of day to which you want to shift the forced disconnect of the DSL
provider. This is only possible if the correct system time is set on the device.
Input format: HH:MM

Procedure
1. Specify how the PPP interface obtains the IP address. The following options are
available:
– Dynamic
Activate the DHCP function on the PPP interface. You can configure this setting in
"Layer 3 > Subnets > Configuration".
Note
• With the subnets, a maximum of one interface can have a dynamic IP
configuration.
– Static IP address
Deactivate the DHCP function on the PPP interface. Enter the IP address and the
subnet mask.
2. Configure the PPP interface.
3. Select "Enabled" for operation to activate the PPP interface.
4. Click "Set Values" to adopt the settings.

4.7 "Layer 2" menu
4.7 "Layer 2" menu
4.7.1 Layer 2 configuration
Configuring layer 2
On this page, you create a basic configuration for the functions of layer 2.
Description
● Passive Listening
When enabled the function ensures that the BPDUs from the RSTP network are
forwarded transparently and return again. If this was not the case, loops would form at
the connection point between RSTP and the ring.

4.7 "Layer 2" menu
4.7.2 VLAN
4.7.2.1 General
VLAN configuration page

On this page you specify whether or not the device forwards frames with VLAN tags
transparently (IEEE 802.1D/VLAN-unaware mode) or takes VLAN information into account
(IEEE 802.1Q/VLAN-aware mode). If the device is in the "802.1Q VLAN Bridge" mode, you
can define VLANs and specify the use of the ports.
The possible settings on this page depend on what you select in the "Base Bridge Mode"
box.
Note
Changing the Agent VLAN ID
If the configuration PC is connected directly to the device via Ethernet and you change the
agent VLAN ID, the device is no longer reachable via Ethernet following the change.

4.7 "Layer 2" menu
Description
● Base Bridge Mode
Note
Changing Base bridge mode
Note the section "Changing Base bridge mode" in this chapter. This section describes
how a change affects the existing configuration.
Select the required mode from the drop-down list. The following modes are possible:
– 802.1Q VLAN Bridge
Sets the mode "VLAN-aware" for the device. In this mode, VLAN information is taken
into account.
– 802.1D Transparent Bridge
Sets the mode "VLAN-unaware" for the device. In this mode, VLAN tags are not taken
into account or changed but are forwarded transparently. In this mode, you cannot
create any VLANs. Only a management VLAN is available: VLAN 1.
● VLAN ID
Enter the VLAN ID in the "VLAN ID" input box.
Range of values: 1 ... 4094
● Select
● VLAN ID
Shows the VLAN ID. The VLAN ID (a number between 1 and 4094) can only be assigned
once when creating a new data record and can then no longer be changed. To make a
change, the entire data record must be deleted and created again.
● Name
Enter a name for the VLAN. The name only provides information and has no effect on the
configuration. The length is a maximum of 32 characters.

4.7 "Layer 2" menu
● Status
Shows the status type of the entry in the internal port filter table. Here, "Static" means that
the VLAN was entered statically by the user.
● List of ports
Specify the use of the port. The following options are available:
– "-"
The port is not a member of the specified VLAN.
With a new definition, all ports have the identifier "-".
– M
The port is a member of the VLAN. Frames sent in this VLAN are forwarded with the
corresponding VLAN tag.
– U (uppercase)
The port is an untagged member of the VLAN. Frames sent in this VLAN are
forwarded without the VLAN tag. Frames without a VLAN tag are sent from this port.
– u (lowercase)
The port is an untagged member of the VLAN, but the VLAN is not configured as a
port VLAN. Frames sent in this VLAN are forwarded without the VLAN tag.
– F
The port is not a member of the specified VLAN and cannot become a member of this
VLAN even if it is configured as a trunk port.
– T
This option is only displayed and cannot be selected in the WBM.
This port is a trunk port making it a member in all VLANs.
You configure this function in the CLI (Command Line Interface) using the "switchport
mode trunk" command or in the WBM under "Interfaces > Ethernet > Configuration".
Changing Base bridge mode

VLAN-unaware (802.1D transparent bridge) → VLAN-aware (802.1Q VLAN bridge)
If you change the Base bridge mode from VLAN-unaware to VLAN aware, this has the
following effects
● All static and dynamic unicast entries are deleted.
VLAN-aware (802.1Q VLAN bridge) → VLAN-unaware (802.1D transparent bridge)
If you change the Base bridge mode from VLAN-aware to VLAN-unaware, this has the
following effects
● All VLAN configurations are deleted.
● A management VLAN is created: VLAN 1.
● All static and dynamic unicast entries are deleted.

4.7 "Layer 2" menu
802.1Q VLAN Bridge: Important rules for VLANs

Make sure you keep to the following rules when configuring and operating your VLANs:
● Frames with the VLAN ID "0" are handled as untagged frames but retain their priority
value.
● As default, all ports on the device send frames without a VLAN tag to ensure that the end
node can receive these frames.
● You will find the factory assignment of the ports in the section "VLAN (Page 37)".
● The VLANs are in different IP subnets. To allow these to communicate with each other,
the route and firewall rule must be configured on the device.
● If an end node is connected to a port, outgoing frames should be sent without a tag (static
access port). If, however, there is a further switch at this port, the frame should have a
tag added (trunk port).
Procedure
Requirement:
For Base Bridge mode "802.1Q VLAN Bridge" is set
Creating a new VLAN
1. Enter an ID in the "VLAN ID" input box.
2. Click the "Create" button. A new entry is generated in the table. As default, the boxes
have "-" entered.
3. Enter a name for the VLAN under Name.
4. Specify the use of the port in the VLAN. If, for example you select M, the port is a
member of the VLAN. The frame sent in this VLAN is forwarded with the corresponding
VLAN tag.
5. Specify the mode of the device.

4.7 "Layer 2" menu
4.7.2.2 Port Based VLAN
Processing received frames

On this WBM page, you specify the configuration of the port properties for receiving frames.
Description
● All ports
Shows that the settings are valid for all ports of table 2.
● Priority / Port VID / Acceptable Frames / Ingress Filtering
In the drop-down list, select the setting for all ports. If "No Change" is selected, the entries
of the corresponding column in table 2 remain unchanged.
● Copy to Table
● Port
Shows the available ports.
● Priority
Select the required priority assigned to untagged frames.
The CoS priority (Class of Service) used in the VLAN tag. If a frame is received without a
tag, it will be assigned this priority. This priority specifies how the frame is further
processed compared with other frames.
There are a total of eight priorities with values 0 to 7, where 7 represents the highest
priority (IEEE 802.1p Port Priority).

4.7 "Layer 2" menu
● Port VID
Select the required VLAN ID. Only VLAN IDs defined in "VLAN > General" can be
selected.
If a received frame does not have a VLAN tag, it has a tag with the VLAN ID specified
here added to it and is sent according to the rules at the port.
● Acceptable Frames
Specify which types of frames will be accepted. The following alternatives are possible:
– Tagged Frames Only
The device discards all untagged frames. Otherwise, the forwarding rules apply
according to the configuration.
– All
The device forwards all frames.
● Ingress Filtering
Specify whether the VID of received frames is evaluated.
You have the following options:
– Enabled
The VLAN ID of received frames decides whether they are forwarded: To forward a
VLAN tagged frame, the receiving port must be a member in the same VLAN. Frames
from unknown VLANs are discarded at the receiving port.
– Disabled
All frames are forwarded.
Steps in configuration
1. In the row of the port to be configured, click on the relevant cell in the table to configure it.
2. Enter the values to be set in the input boxes as follows.
3. Select the values to be set from the drop-down lists.

4.7 "Layer 2" menu
4.7.3 Dynamic MAC Aging
Protocol settings and switch functionality

The device automatically learns the source addresses of the connected nodes. This
information is used to forward data frames to the nodes specifically involved. This reduces
the network load for the other nodes.
If a device does not receive a frame whose source address matches a learnt address within
a certain time, it deletes the learnt address. This mechanism is known as "Aging". Aging
prevents frames being forwarded incorrectly, for example when an end device is connected
to a different port.
If the check box is not enabled, a device does not delete learned addresses automatically.
Description of the displayed boxes

● Dynamic MAC Aging
Enable or disable the function for automatic aging of learned MAC addresses.
● Aging Time[s]
Enter the time in seconds in steps of 15. After this time, a learned address is deleted if
the device does not receive any further frames from this sender address.
Range of values: 15 - 630 (seconds)
Note
Rounding of the values, deviation from desired value
When you input the Aging Time, note that it is rounded to correct values. If you enter a
value that cannot be divided by 15, the value is automatically rounded down.
Steps in configuration
1. Select the "Dynamic MAC Aging" check box.
2. Enter the time in seconds in the "Aging Time[s]" input box.

4.7 "Layer 2" menu
4.7.4 Spanning Tree
4.7.4.1 General
This is the basic page for spanning tree. As default, Rapid Spanning Tree is enabled.
Description
● Spanning Tree
Enable or disable spanning tree.
● Protocol Compatibility
The following setting is available:
– RSTP
Procedure
1. Select the "Spanning Tree" check box.

4.7 "Layer 2" menu
4.7.4.2 ST general
The page consists of the following parts.
● The left-hand side of the page shows the configuration of the device.
● The right-hand part shows the configuration of the root bridge that can be derived from
the spanning tree frames received by a device.
Description
Which device becomes the root bridge is decided by the bridge priority. The bridge with
the highest priority (in other words, with the lowest value for this parameter) becomes the
root bridge. If several devices in a network have the same priority, the device whose MAC
address has the lowest numeric value will become the root bridge. Both parameters,
bridge priority and MAC address together form the bridge identifier. Since the root bridge
manages all path changes, it should be located as centrally as possible due to the delay
of the frames.
The value for the bridge priority is a whole multiple of 4096. Range of values: 0 - 61440
the MAC address of the root bridge.
● Root port
Shows the port via which the switch communicates with the root bridge.
● Root Cost
The path costs from this device to the root bridge.
● Topology Changes / Last Topology Change
The entry for the device shows the number of reconfiguration actions due to the spanning

4.7 "Layer 2" menu
tree mechanism since the last startup. For the root bridge, the time since the last
reconfiguration is displayed as follows:
– Seconds: Unit "sec" after the number
– Minutes: Unit min after the number
– Hours: Unit hr after the number
● Bridge hello time [s] / Root hello time [s]
Each bridge sends configuration frames (BPDUs) regularly. The interval between two
configuration frames is the "Hello Time".
Factory setting: 2 seconds
● Bridge Forward Delay[s] / Root Forward Delay[s]
New configuration data is not used immediately by a bridge but only after the period
specified in the Forward Delay parameter. This ensures that operation is only started with
the new topology after all the bridges have the required information.
● Bridge Max Age[s] / Root Max Age[s]
If the BPDU is older than the specified "Max Age" it is discarded.
● Reset Counters
Click this button to reset the counters on this page.
4.7.4.3 ST port
When the page is called, the table displays the current status of the configuration of the port
parameters.
To configure them, click the relevant cells in the port table.

4.7 "Layer 2" menu
Description
● All ports
Shows that the settings are valid for all ports of table 2.
● Spanning Tree Status
In the drop-down list, select the setting for all ports. If "No Change" is selected, the entries
of the corresponding column in table 2 remain unchanged.
● Copy to Table
● Port
● Spanning Tree Status
Specify whether or not the port is integrated in the spanning tree.
Note
If you disable the "Spanning Tree Status" option for a port, this may cause the formation
of loops. The topology must be kept in mind.
● Priority
Enter the priority of the port. The priority is only evaluated when the path costs are the
same.
The value must be divisible by 16. If the value that cannot be divided by 16, the value is
automatically adapted.
Range of values: 0 - 240.
The default is 128.
● Cost Calc.
Enter the path cost calculation. If you enter the value "0" here, the automatically
calculated value is displayed in the "Path costs" box.

4.7 "Layer 2" menu
● Path Cost
This parameter is used to calculate the path that will be selected. The path with the
lowest value is selected as the path. If several ports of a device have the same value for
the path costs, the port with the lowest port number is selected.
If the value in the box "Cost Calc." is "0", the automatically calculated value is shown.
Otherwise, the value of the "Cost Calc." box is displayed.
The calculation of the path costs is largely based on the transmission speed. The higher
the achievable transmission speed is, the lower the value of the path costs.
Typical values for path costs with rapid spanning tree:
– 10,000 Mbps = 2,000
– 1000 Mbps = 20,000
– 100 Mbps = 200,000
– 10 Mbps = 2,000,000
The values can, however, also be set individually.

4.7 "Layer 2" menu
● Status
Displays the current status of the port. The values are only displayed and cannot be
configured. The "Status" parameter depends on the configured protocol. The following
values are possible:
–  Disabled
The port only receives and is not involved in STP, MSTP and RSTP.
– Discarding
In the "Discarding" mode, BPDU frames are received. Other incoming or outgoing
frames are discarded.
– Listening
 In this status, BPDUs are both received and sent. The port is involved in the spanning
tree algorithm.
–  Learning
Stage prior to the "Forwarding" status, the port is actively learning the topology (in
other words, the node addresses).
–  Forwarding
Following the reconfiguration time, the port is active in the network; it receives and
forwards data frames.
● Fwd. Trans
Specifies the number of changes from the "Discarding" status to the "Forwarding" status.
● Edge Type
Specify the type of "edge port". You have the following options:
– "-"
Edge port is disabled. The port is treated as a "no Edge Port".
– Admin
Select this option when there is always an end device on this port. Otherwise a
reconfiguration of the network will be triggered each time a connection is changed.
– Auto
Select this option if you want a connected end device to be detected automatically at
this port. When the connection is established the first time, the port is treated as a "no
Edge Port".
– Admin/Auto
Select these options if you operate a combination of both on this port. When the
connection is established the first time, the port is treated as an "Edge Port".

4.7 "Layer 2" menu
● Edge
Shows the status of the port.
– Enabled
 An end device is connected to this port.
– Disabled
There is a Spanning Tree or Rapid Spanning Tree device at this port.
With an end device, a switch can change over the port faster without taking into account
spanning tree frames. If a spanning tree frame is received despite this setting, the port
automatically changes to the "Disabled" setting.
● P.t.P. Type
Select the required option from the drop-down list. The selection depends on the port that
is set.
– "-"
Point to point is calculated automatically. If the port is set to half duplex, a point-to-
point link is not assumed.
– P.t.P.
 Also with half duplex, a point-to-point link is assumed.
–  Shared Media
Even with a full duplex connection, a point-to-point link is not assumed.
Note
Point-to-point link means a direct connection between two devices. A shared media
connection is, for example, a connection to a hub.

4.7 "Layer 2" menu
4.7.5 LLDP
Identifying the network topology

LLDP (Link Layer Discovery Protocol) is defined in the IEEE 802.1 AB standard.
LLDP is a method used to discover the network topology. Network components exchange
information with their neighbor devices using LLDP.
Network components that support LLDP have an LLDP agent. The LLDP agent sends
information about itself and receives information from connected devices at periodic
intervals. The received information is stored in the MIB.
Applications
PROFINET uses LLDP for topology diagnostics. In the factory setting, LLDP is enabled for
all available ports; in other words, LLDP frames are sent on the ports.
The information sent is stored on every device with LLDP capability in an LLDP MIB file.
Network management systems can access these LLDP MIB files using SNMP and therefore
recreate the existing network topology. In this way, an administrator can find out which
network components are connected to each other and can localize disruptions.
On this page, you have the option of enabling or disabling sending and/or receiving per port.

4.7 "Layer 2" menu
Description
● All Ports
Shows that the settings are valid for all ports.
● Setting
Select the setting from the drop-down list. If "No Change" is selected, the entry in table 2
remains unchanged.
● Copy to Table
● Port
● Setting
Specify the LLDP functionality. The following options are available:
– Rx
This port can only receive LLDP frames.
– Tx
This port can only send LLDP frames.
– Rx & Tx
This port can receive and send LLDP frames.
– "-" (disabled)
This port can neither receive nor send LLDP frames.
Procedure
1. Select the LLDP functionality of the port from the "Setting" drop-down list.

4.8 "Layer 3" menu
4.8 "Layer 3" menu
4.8.1 Static routes

On this page, you specify the routes via which data exchange can take place between the
various subnets. Dynamic routing protocols are not supported, for example RIP, OSPF.
Description
Enter the network address of the destination that can be reached via this route.
● Subnet Mask
Enter the corresponding subnet mask.
● Interface
Specify whether the network address can be reached via a certain interface or via the
gateway (auto).
● Gateway
Enter the IPv4 address of the gateway via which this network address is reachable.
● Administrative Distance
Enter the metric for the route. The metric corresponds to the quality of a connection, for
example speed, costs. If there are several equal routes, the route with the lowest metric
value is used.
If you do not enter anything, "not used" is entered automatically. The metric can be
changed later.
Range of values: 1 - 255 or -1 for "not used".
Here, 1 is the value for the best possible route. The higher value, the longer packets
require to their destination.

4.8 "Layer 3" menu

● Select
Shows the network address of the destination.
● Subnet Mask
Shows the corresponding subnet mask.
● Gateway
Shows the IPv4 address of the next gateway.
● Interface
Shows the interface of the route.
● Administrative Distance
Enter the metric for the route. When creating the route, "not used" is entered
automatically. The metric corresponds to the quality of a connection, based for example
on speed or costs. If there are several equal routes, the route with the lowest metric value
is used.
Range of values: 1 - 255
Here, 1 is the value for the best possible route. The higher value, the longer the packets
require to their destination.
● Status
Shows whether or not the route is active.
Procedure
1. Enter the network address of the destination in the "Destination Network" input box.
2. Enter the corresponding subnet mask in the "Subnet Mask" input box.
3. For "Interface", select the entry "auto".
4. Enter the gateway in the "Gateway" input box.
5. Enter the weighting of the route in "Administrative Distance".

4.8 "Layer 3" menu
4.8.2 Subnets
4.8.2.1 Overview
The page shows the subnets for the selected interface. A subnet always relates to an
interface and is created in the "Configuration" tab.
Description
The page contains the following box:
● Interface
Select the interface on which you want to configure another subnet.
● Select
● Interface
Shows the interface.
● TIA Interface
Shows the selected TIA interface.
● Interface Name
Shows the name of the interface.
● MAC Address
Shows the MAC address.
● IP Address
Shows the IPv4 address of the subnet.
● Subnet Mask
Shows the subnet mask.

4.8 "Layer 3" menu
● Address Type
Shows the address type. The following values are possible:
– Primary
The first IPv4 address that was configured on the IPv4 interface.
– Secondary
All other IPv4 addresses that were configured on the IPv4 interface.
● IP Assignment Method
Shows how the IPv4 address is assigned. The following values are possible:
– Static
The IPv4 address is static. You enter the settings in "IP Address" and "Subnet Mask".
– Dynamic (DHCP)
The device obtains a dynamic IPv4 address from a DHCPv4 server.
● Address Collision Detection Status
If new IPv4 addresses become active in the network, the "Address Collision Detection"
function checks whether this can result in address collisions. The allows IPv4 addresses
that would be assigned twice to be detected.
Note
The function does not run a cyclic check.
This column shows the current status of the function. The following values are possible:
– Idle
The interface is not enabled and does not have an IPv4 address.
– Starting
This status indicates the start-up phase. In this phase, the device initially sends a
query as to whether the planned IPv4 address already exists. If the address is not yet
been assigned, the device sends the message that it is using this IP address as of
now.
– Conflict
The interface is not enabled. The interface is attempting to use an IPv4 address
address that has already been assigned.

4.8 "Layer 3" menu
– Defending
The interface uses a unique IPv4 address. Another interface is attempting to use the
same IPv4 address.
– Active
The interface uses a unique IPv4 address. There are no collisions.
– Not supported
The function for detection of address collisions is not supported.
– Disabled
The function for detection of address collisions is disabled.
● MTU
Shows the packet size.
On this page, you configure the subnet for the interface.
Description
● Interface (Name)
Select the interface from the drop-down list.
● Interface Name
Enter the name of the interface.
● MAC Address
Displays the MAC address of the selected interface.

4.8 "Layer 3" menu
● DHCP
Enable or disable the DHCP client for this IPv4 interface.
● IP Address
Enter the IPv4 address of the interface. The IPv4 addresses must not be used more than
once.
● Subnet Mask
Enter the subnet mask of the subnet you are creating. Subnets on different interfaces
must not overlap.
● Broadcast IP Address
If a specific IP address is to be used as the broadcast IP address of the subnet, enter
this. Otherwise the last IP address of the subnet will be used.
● Address Type
Shows the address type. The following values are possible:
– Primary
The first subnet of the interface.
– Secondary
All further subnets of the interface.
● TIA Interface
Select whether or not this interface should become the TIA Interface. The TIA interface
defines on which VLAN the PROFINET functionalities are available. This mainly affects
the device search with or via DCP.
● MTU
MTU (Maximum Transmission Unit) specifies the maximum size of the packet. If packets
are longer than the set MTU, they are fragmented. The MTU covers the IP header and
the headers of the higher layers.
The range of values is from 90 to 1500 bytes.

4.8 "Layer 3" menu
4.8.3 NAT
4.8.3.1 Masquerading
On this WBM page, you enable the rules for IP masquerading.
Description
● Interface
Interface to which the setting relates. Only interfaces with a configured subnet are
available.
● Enable Masquerading
When enabled, with each outgoing data packet sent via this interface, the source IP
address is replaced by the IP address of the interface.
4.8.3.2 NAPT
On this WBM page, you can configure a port translation in addition to the address
translation.
The following port translations are possible:
● From a single port to the same port:
If the ports are the same, the frames will be forwarded without port translation.
● From a single port to a single port
The frames are translated to the port.
● From a port range to a single port
The frames from the port range are translated to the same port (n:1).
● From a port range to the same port range
If the port ranges are the same, the frames will be forwarded without port translation.

4.8 "Layer 3" menu
Description
● Source Interface
Select the interface on which the queries will arrive.
● Traffic Type
Specify the protocol for which the address assignment is valid.
● Use Interface IP from Source Interface
When enabled, the IP address of the selected interface is used for "Dest IP Address".
● Destination IP Address
Enter the destination IP address. The frames are received at this IP address. Can only be
edited if "Use Interface IP from Source Interface" is disabled.
● Destination Port
Enter the destination port. Incoming frames with this port as the destination port are
forwarded. If the setting is intended to apply to a port range, enter the range with start
port "-" end port, for example 30 - 40.
● Translated Destination IP
Enter the IP address of the node to which this frame will be forwarded.
● Translated Destination Port
Enter the number of the port. This is the new destination port to which the incoming frame
will be forwarded. If the setting is intended to apply to a port range, enter the range with
start port "-" end port, for example 30 - 40.

4.8 "Layer 3" menu

● Select
Shows the interface from which the packets need to come. Only these packets are
considered for port forwarding.
● Traffic Type
Shows the protocol for which the address assignment applies.
● Interface IP
Shows whether the IP address of the interface is used.
● Destination IP
Shows the destination IP address. The frames are received at this IP address.
● Destination Port
Shows the destination port. Incoming frames with this port as the destination port are
forwarded.
● Translated Destination IP
Shows the IP address of the node to which the packets will be forwarded.
● Translated Destination Port
Shows the destination port to which the packets are translated.
4.8.3.3 Source NAT

On this page, you configure the rules for source NAT.

4.8 "Layer 3" menu
Note
Firewall rule with source NAT
Address translation with source NAT was only performed after the firewall; the non-
translated addresses are therefore used.
Security > Firewall > IP rules
• Source (Range): Input from "Source IP Addresses"
• Destination (Range): Input from "Destination IP Addresses"
Description
● Source Interface / Destination Interface
Specify the direction of the connection establishment. Only connections established in
this specified direction are taken into account.
The virtual interfaces of VPN connections can also be selected:
– VLANx: VLANs with configured subnet
– ppp0 or usb0 (only with M876-4): WAN interface
– SINEMA RC: Connection to SINEMA RC Server
– IPsec: Either all IPsec VPN connections (all) or a specific IPsec VPN connection
– OpenVPN: Either all OpenVPN connections (all) or a specific OpenVPN connection
Note
When you configure a NAT address translation to or from the direction of the VPN tunnel,
only the IP addresses involved in the NAT address translation rules can be reached via
the VPN tunnel.
● Source IP Address(es)
Specify the source IP addresses for which this source NAT rule is valid. Only the packets
that correspond to the addresses entered are taken into account.
The following entries are possible:
– IP address: Applies precisely to the specified IP address.
– IP address range: Applies to a certain IP address range: Start IP address "-" End IP
address, e.g. 192.168.100.10 - 192.168.100.20
– IP subnet: Applies to several IPv4 addresses grouped together to form an IP address
range: IP address/number of bits of the network part (CIDR notation)
● Use Interface IP from Destination Interface
When enabled, the IP address of the selected destination interface is used in "Translated
Source IP Address".

4.8 "Layer 3" menu
● Translated Source IP Address

Enter the IP address with which the IP address of the sender is replaced. Can only be
edited if "Use Interface IP from Destination Interface" is disabled.
● Destination IP Address(es)
Specify the destination IP addresses for which this source NAT rule is valid. Only the
packets whose destination IP address is in the range of entered addresses are taken into
account.
– IP address: Applies precisely to the specified IP address.
– IP address range: Applies to a certain IP address range: Start IP address "-" End IP
address, e.g. 192.168.100.10 - 192.168.100.20
– IP subnet: Applies to several IPv4 addresses grouped together to form an IP address
range: IP address/number of bits of the network part (CIDR notation)
● Select
Activate the check box in the row to be deleted.
Shows the source interface.
● Destination Interface
Shows the destination interface.
● Source IP Address(es)
Shows the IP addresses of the senders for which address translation is required.
● Use Interface IP
Shows whether the IP address of the selected destination interface is used in "Translated
Source IP Address".
● Translated Source IP Address
Shows the IP address with which the IP address of the sender is replaced.
● Destination IP Address(es)
Shows the IP addresses of the recipients for which address translation is required.

4.8 "Layer 3" menu
4.8.3.4 NETMAP
On this WBM page, you specify the rules for NETMAP. NETMAP is static 1:1 mapping of
network addresses in which the host part is retained. For more information, refer to the
section "NAT and firewall (Page 49)".
Note
Firewall rule with source NAT
Address translation with source NAT was only performed after the firewall; the non-
translated addresses are therefore used.
• Source (Range): Input from "Source IP Subnet"
• Destination (Range): Input from "Destination IP Subnet"
Firewall rule with destination NAT
Address translation with NAT was already performed before the firewall; the translated
addresses are therefore used in the firewall.
• Source (Range): Input from "Source IP Subnet"
• Destination (Range): Input from "Translated Destination IP Subnet"

4.8 "Layer 3" menu
Description
● Type
Specify the type of address translation.
– Source: Replacement of the source IP address
– Destination: Replacement of the destination IP address
Specify the source interface.
Specify the destination interface.
● Source IP Subnet
Enter the subnet of the sender.
The subnet can also be a single PC or another subset of the subnet. Use the CIDR
notation.
● Translated Source IP Subnet
Enter the subnet with which the subnet of the sender is replaced. Can only be edited with
the setting "Source".
notation.
● Destination IP Subnet
Enter the subnet of the recipient.
notation.
● Translated Destination IP Subnet
Enter the subnet with which the subnet of the recipient is replaced. Can only be edited
with the setting "Destination".
notation.

4.8 "Layer 3" menu
● Bidirectional rule
When this is enabled, the NETMAP rule for the opposite direction is automatically created
when the NETMAP rule is created.
The NETMAP rules are not connected to one another after creation. This means that no
synchronization takes place between the NETMAP rules when they are changed or
deleted.
● Auto Firewall Rule
When this is enabled, the corresponding firewall rule is automatically created when the
NETMAP rule is created. These firewall rules are displayed under "Security > Firewall >
IP rules". If you change or delete the NETMAP rules, the corresponding firewall rules are
adjusted or deleted.
● Select
● Type
Shows the direction of the address translation.
Shows the source interface.
Shows the destination interface.
● Source IP Subnet
Shows the subnet of the sender. This entry can be changed when necessary.
● Translated Source IP Subnet
Shows the subnet of the sender with which the subnet of the sender is replaced. This
entry can be changed when necessary.
● Destination IP Subnet
Shows the subnet of the recipient. This entry can be changed when necessary.
● Translated Destination IP Subnet
Shows the subnet of the recipient with which the subnet of the recipient is replaced. This
entry can be changed when necessary.

4.8 "Layer 3" menu
4.8.4 VRRPv3
4.8.4.1 Router
Introduction
Using the "Create" button, you can create new virtual routers. A maximum of 2 virtual routers
can be configured. You can configure other parameters on the "Configuration" tab.
Note
• You can use VRRPv3 on VLAN interfaces.
Requirement
For the incoming VRRP packets to be forwarded to the device, you must configure the
following firewall rule:
Security > Firewall > IP protocol:
● Protocol Name: "VRRP"
● Protocol Number: 112
Security > Firewall > IP rules:
● Protocol: IPv4
● Action: Accept
● From: <Interface>
● To: Device
● Source (Range): 0.0.0.0/0
● Destination (Range): 224.0.0.18/32
● Services: VRRP

4.8 "Layer 3" menu
Description
● VRRPv3
Enable or disable routing using VRRPv3.
● Reply to pings on virtual interfaces
When enabled, the virtual IPv4 addresses also reply to the ping.
● VRID-Tracking
Enable or disable VRID tracking.
When enabled, all VRRP instances are monitored. If the status of a VRRP instance
changes to "Initialize", the priority of all VRRP instances is reduced to the value "1".
If the status of a VRRP instance changes, the original priority of all VRRP instances is
restored.
● Interface
Select the required VLAN interface operating as virtual router.
● VRID
Enter the ID of the virtual router. This ID defines the group of routers that form a virtual
router (VR). In the group, this is the same. It can no longer be used for other groups.
Valid values are 1.. 255.
● Select
● Interface
Shows the Interface that functions as the virtual router.
● VRID
Shows the ID of the virtual router.
● Virtual MAC Address
Shows the virtual MAC address of the virtual router.
● Primary IP Address
Shows the numerically lowest IPv4 address in this VLAN. The entry 0.0.0.0 means that
the "Primary" address on this VLAN is used. Otherwise all IPv4 addresses configured on
this VLAN in the "Layer 3 (IPv4) > Subnets" menu are valid values.

4.8 "Layer 3" menu
● Router State
Shows the current status of the virtual router. Possible values are:
– Master
The router is the master router and handles the routing functionality for all assigned
IPv4 addresses.
– Backup
The router is the backup router. If the master router fails, the backup router takes over
the tasks of the master router.
– Initialize
The virtual router has just been turned on. It will soon change to the "Master" or
"Backup" status.
● Master IP Address
Shows the IPv4 address of the master router.
● Priority
Shows the priority of the virtual router.
Valid values are 1-254.
If an IPv4 address is assigned to the VRRP router that is also actually configured on the
local IPv4 interface, the value 255 is entered automatically. All other priorities can be
distributed freely among the VRRP routers. The higher the priority, the earlier the VRRP
router becomes "Master".
● Advert. Internal
Shows the interval at which the master router sends VRRPv3 packets.
● Preempt
Shows the precedence of a router when changing roles between backup and master.
– yes
This router has precedence when changing roles.
– no
This router does not have precedence when changing roles.
VRRP and DHCP server

If you want to operate a DHCP server on the devices of a VRRP group, the DHCP server
must be configured on the master router. Backup routers do not react to DHCP queries.
Make sure that the master router is statically configured and that after a failure, becomes the
master of the VRRP group again.

4.8 "Layer 3" menu
Procedure
1. Select the "VRRPv3" check box.
2. Select the required interface.
3. Enter the ID of the virtual router in the "VRID" input box.
4. Click the "Create" button. A new row is inserted in the table.
5. Select the "Reply to pings on virtual interfaces" check box so that virtual IPv4 addresses
reply to pings as well.
6. Select the "VRID Tracking" check box to monitor the VRID.
7. Click the "Set Values" button. To configure the virtual router, click on the "Configuration"
tab.
Introduction
On this page, you configure the virtual router.

4.8 "Layer 3" menu
Description
● Interface / VRID
Select the ID of the virtual router to be configured.
● Primary Address
Select the primary IPv4 address. If the router becomes master router, the router uses this
IPv4 address.
Note
If you only configure one subnet on this VLAN, no entry is necessary. The entry is then
0.0.0.0.
If you configure more than one subnet on the VLAN and you want a specific IPv4 address
to be used as the source address for VRRP packets, select the IPv4 address. Otherwise,
the numerically lowest IPv4 address will be used.
● Master
When enabled, the numerically lowest IPv4 address is entered for "Associated IP
Address". This means that the numerically lowest IPv4 address of the VRRPv3 router is
used as the virtual IP address of the virtual master router. The backup routers in this
group must disable the option and use the IPv4 address of the router for "Associated IP
address".
● Priority
Enter the priority of this virtual router. Valid values are 1-254.
If an IPv4 address is assigned to the VRRPv3 router that is also actually configured on
the local IPv4 interface, the value 255 is entered automatically. All other priorities can be
distributed freely among the VRRPv3 routers. The higher the priority, the earlier the
VRRPv3 router becomes "Master".
● Advertisement interval
Enter the interval in seconds after which a master router sends a VRRPv3 packet again.
● Preempt lower priority Master
Allow precedence when changing roles between backup and master based on the
selection process.
● VRRP Compatible Mode
When enabled, the VRRPv3 router sends and receives VRRPv2 frames in addition to
VRRPv3 frames for configured IPv4 addresses. Only necessary when not all VRRP
routers support VRRPv3.
● Track ID
Select a track ID.
● Decrement Priority
Enter the value by which the priority of the VRRPv3 interface will be reduced.
● Current Priority
Shows the priority of the VRRPv3 interface after the monitored interface has changed to
the "down" status.

4.8 "Layer 3" menu
Procedure
To configure a virtual router as the master router, follow the steps below:
1. Select the ID of the virtual router you want to configure from the "Interface / VRID" drop-
down list.
2. Select the "Status" check box.
3. Select the source address from the "Primary Address" drop-down list.
4. From the "Priority" drop-down list, enter the priority of this virtual router.
5. Select the "Master" check box.
6. Enter the interval in "Advertisement Interval".
7. Select the "Preempt lower priority Master" check box.
8. Select the "VRRP Compatible Mode" check box.
9. Select a track ID.
10.Enter the value by which the priority of the VRRPv3 interface will be reduced
11.Click the "Set Values" button.
4.8.4.3 Address overview
Overview
This page shows which IPv4 addresses the virtual router monitors. Each virtual router can
monitor on IPv4 address.

● Interface
Shows the Interface that functions as the virtual router.
● VRID
Shows the ID of this virtual router.

4.8 "Layer 3" menu
● Number of Addresses
Shows the number of IPv4 addresses.
● Associated IP Address (1) ...Associated IP Address (4)
Shows the router IPv4 addresses monitored by this virtual router. If a router takes over
the role of master, the routing function is taken over by this router for all these IPv4
addresses.
4.8.4.4 Address Configuration
Creating or changing the monitored IP addresses

On this page, you can create, modify or delete the IPv4 addresses to be monitored. Each
virtual router can monitor on IPv4 address.
Description
● Interface / VRID
Select the ID of the virtual router.
● Associated IP Address
Enter the IPv4 address that the virtual router will monitor.
● Select
Select the check box in the row to be deleted
● Associated IP Address
Shows the IPv4 addresses that the virtual router monitors.

4.8 "Layer 3" menu
Procedure
1. Select the ID of the virtual router.
2. Enter the IPv4 address that the virtual router will monitor.
4.8.4.5 Interface Tracking
Introduction
On this page, you configure the monitoring of interfaces.
When the link of a monitored interface changes from "up" to "down", the priority of the
assigned VRRP interface is reduced. You configure the value by which the priority is
reduced on the page "Layer 3 > VRRPv3 > Configuration".
When the link of the interface changes back from "down" to "up", the original priority of the
VRRP interface is restored.
Description
● Interface
From the drop-down list, select the interface to be monitored.
● Track ID
Enter a track ID.

4.8 "Layer 3" menu
● Track ID
Select a track ID.
● Track Interface Count
Enter how many monitored interfaces need to change to the "down" status, before the
priority is changed.
● Select
● Track ID
Shows the track ID.
● Interface
Shows the interface that is being monitored.
Procedure
1. Select the required interface from the "Interface" drop-down list.
2. In the "Track ID" box, enter the required ID.
4. Select an ID from the "Track-ID" drop-down list:
5. In the "Track Interface Count" enter the number of interfaces.
7. Link the monitoring to a VRRP interface in the "Configuration" tab.

4.9 "Security" menu
4.9 "Security" menu
4.9.1 Users
4.9.1.1 Local users
User accounts
On this page, you create local user accounts with the corresponding rights. To create a user
account, the logged on user must have the "admin" role.

4.9 "Security" menu
Description
● User Account
Enter the name for the user. The name must meet the following conditions:
– It must be unique.
– It must be between 1 and 250 characters long.
– It must not contain the following characters: § ? " ; :
– The characters for Space and Delete also cannot be included.
Note
User name cannot be changed
After creating a user, the user name can no longer be modified.
If a user name needs to be changed, the user must be deleted and a new user created.
Note
User names: admin
You can configure the device with this user name.
When you log in for the first time or log in after a "Restore Factory Defaults and Restart",
you will be prompted to change the predefined password "admin". You can also rename
the "admin" user preset in the factory once. Afterwards, renaming "admin" is no longer
possible.
● Password Policy
Shows which password policy is being used.
– High
Password length: at least 8 characters, maximum 128 characters
At least 1 uppercase letter
At least 1 special character
At least 1 number
– Low
You configure the password policy on the page "Security > Passwords > Options".
● Password
Enter the password. The strength of the password depends on the set password policy.
It must not contain the following characters: § and ß

4.9 "Security" menu
Enter the password again to confirm it.
● Role
Select a role.
You can choose between default and self-defined roles, refer to the page "Security >
Users > Roles.".
● Select
Note
The users preset in the factory as well as logged in users cannot be deleted or changed.
● User Account
Shows the user name.
● Role
Shows the role of the user.
● Description
Displays a description of the user account. The description text can be up to 100
characters long.
● Remote access
– Only
Only remote access, which means no rights other than logging into the WBM page for
user-specific firewall.
– None
No remote access. The user cannot log on to the user-specific firewall, but only to the
WBM of the device.
– Additional
The user can log on to both the WBM of the device and the user-specific firewall.
Procedure
Note
Changes in "Trial" mode
Even if the device is in "Trial" mode, changes that you carry out on this page are saved
immediately.

4.9 "Security" menu
Creating users
1. Enter the name for the user.
2. Enter the password for the user.
3. Enter the password again to confirm it.
4. Select the role of the user.
6. Enter a description of the user.
Deleting users
2. Click the "Delete" button. The entries are deleted and the page is updated.

4.9 "Security" menu
4.9.1.2 Roles
Roles
On this page, you create roles that are valid locally on the device.
Note
Description
● Role Name
Enter the name for the role. The name must meet the following conditions:
Note
Role name cannot be changed
After creating a role, the name of the role can no longer be changed.
If a name of a role needs to be changed, the role must be deleted and a new role
created.

● Select
Note
Predefined roles and assigned roles cannot be deleted or modified.

4.9 "Security" menu
● Role
Shows the name of the role.
● Function Right
Select the function rights of the role.
– 1
Users with this role can read device parameters but cannot change them. Users with
this role can change their own password.
– 15
Users with this role can both read and change device parameters.
Note
Function right cannot be changed
If you have assigned a role, you can no longer change the function right of the role.
If you want to change the function right of a role, follow the steps outlined below:
1. Delete all assigned users.
2. Change the function right of the role:
3. Assign the role again.
● Description
Enter a description for the role. With predefined roles a description is displayed. The
description text can be up to 100 characters long.
Procedure
Creating a role
1. Enter the name for the role.
3. Select the function rights of the role.
4. Enter a description of the role.
Deleting a role
4.9.1.3 Groups
User groups
On this page you link a group with a role.

4.9 "Security" menu
In this example the group "Administrators" is linked to the "admin" role: The group is defined
on a RADIUS server. The role is defined locally on the device. When a RADIUS server
authenticates a user and assigns the user to the "Administrators" group, this user is given
rights of the "admin" role.
Note
Description
● Group Name
Enter the name of the group. The name must match the group on the RADIUS server.
The name must meet the following conditions:
– The following are not permitted: § ? " ; :
● Select
● Group
Shows the name of the group.
● Role
Select a role. Users who are authenticated with the linked group on the RADIUS server
receive the rights of this role locally on the device.
You can choose between system-defined and self-defined roles, refer to the page
"Security > Users > Roles.".
● Description
Enter a description for the link of the group.to a role. The description text can be up to
100 characters long.

4.9 "Security" menu
Procedure
Linking a group to a role.
1. Enter the name of a group.
3. Select a role.
4. Enter a description for the link of a group.to a role.
Deleting the link between a group and a role
4.9.2 Passwords
Configuration of the passwords
A user with the "admin" role can change the password of already created users. With the
"user" role, users can only change their own password.
Description
● Current User
Shows the user that is currently logged in.
● Current User Password
Enter the password for the currently logged in user.

4.9 "Security" menu
● User Account
Select the user whose password you want to change.
● Password Policy
Shows which password policy is being used when assigning new passwords.
– High
At least 1 uppercase letter
At least 1 special character
At least 1 number
– Low
● New Password
Enter the new password for the selected user.
It must not contain the following characters: § and ß
Note
When you log in for the first time or log in after a "Restore Factory Defaults and Restart",
you will be prompted to change the predefined password "admin". You can also rename
the "admin" user preset in the factory once. Afterwards, renaming "admin" is no longer
possible.
The factory setting for the password when the devices ship is as follows:
• admin: admin
Note
Changing the password in Trial mode
Even if you change the password in Trial mode, this change is saved immediately.
Enter the new password again to confirm it.

4.9 "Security" menu
4.9.3 AAA
4.9.3.1 General
Login of network nodes

The designation "AAA" stands for "Authentication, Authorization, Accounting". This feature is
used to identify and allow network nodes, to make the corresponding services available to
them and to specify the range of use.
On this page, you configure the login.
Description
Note
To be able to use the login authentication "RADIUS", "Local and RADIUS" or "RADIUS and
fallback Local" a RADIUS server must be stored and configured for user authentication.

4.9 "Security" menu
● Login Authentication
Specify how the login is made:
– Local
The authentication must be made locally on the device.
– RADIUS
– Local and RADIUS
The authentication is possible both with the users that exist on the device (user name
and password) and via a RADIUS server.
The user is first searched for in the local database. If the user does not exist there, a
RADIUS request is sent.
– RADIUS and fallback Local
A local authentication is performed only when the RADIUS server cannot be reached
in the network.
4.9.3.2 RADIUS client
Authentication over an external server

The concept of RADIUS is based on an external authentication server.
Each row of the table contains access data for one server. In the search order, the primary
server is queried first. If the primary server cannot be reached, secondary servers are
queried in the order in which they are entered.
If no server responds, there is no authentication.

4.9 "Security" menu
Description of the displayed boxes

● RADIUS Authorization Mode
For the login authentication, the RADIUS authorization mode specifies how the rights are
assigned to the user with a successful authentication.
– Conventional
In this mode the user is logged in with administrator rights if the server returns the
value "Administrative User" to the device for the attribute "Service Type". In all other
cases the user is logged in with read rights.
– SiemensVSA
In this mode, the assignment of rights depends on whether and which group the
server returns for the user and whether there is an entry for the user in the table
"External User Accounts".
● Select
● RADIUS Server Address
Enter the IPv4 address or the FQDN (Fully Qualified Domain Name) of the RADIUS
server.
● Server Port
Here, enter the input port on the RADIUS server. As default, input port 1812 is set. The
range of values is 1 to 65535.
● Shared Secret
Enter your access ID here. The range of values is 1...128 characters
● Shared Secret Conf.
Enter your access ID again as confirmation.
● Max. Retrans.
Here, enter the maximum number of retries for an attempted request.
The initial connection attempt is repeated the number of times specified here before
another configured RADIUS server is queried or the login counts as having failed. As
default 3 retries are set, this means 4 connection attempts. The range of values is 1 to 5.
● Primary Server
Using the options in the drop-down list, specify whether or not this server is the primary
server. You can select one of the options "yes" or "no".

4.9 "Security" menu
● Test
With this button, you can test whether or not the specified RADIUS server is available.
The test is performed once and not repeated cyclically.
● Test Result
Shows whether or not the RADIUS server is available:
– Not reachable
The IP address is not reachable.
The IP address is reachable, the RADIUS server is, however, not running.
– Reachable, key not accepted
The IP address is reachable, the RADIUS server does not, however accept the shared
secret.
– Reachable, key accepted
The IP address is reachable, the RADIUS server accepts the specified shared secret.
Procedure
Entering a new server
The following default values are entered in the table:
– RADIUS Server Address: 0.0.0.0
– Server Port: 1812
– Max. Retrans.: 3
– Primary server: No
2. In the relevant row, enter the following data in the input boxes:
– RADIUS Server Address
– Server Port
– Shared Secret
– Shared Secret Conf
– Max. Retrans.: 3
– Primary server: No
3. If necessary check the reachability of the RADIUS server.
Repeat this procedure for every server you want to enter.

4.9 "Security" menu
Modifying servers
1. In the relevant row, enter the following data in the input boxes:
– RADIUS Server Address
– Server Port
– Shared Secret
– Shared Secret Conf
– Max. Retrans.
– Primary Server
2. If necessary check the reachability of the RADIUS server.
Repeat this procedure for every server whose entry you want to modify
Deleting servers
1. Click the check box in the first column before the row you want to delete to select the
entry for deletion.
Repeat this for all entries you want to delete.
2. Click the "Delete" button. The data is deleted from the memory of the device and the
page is updated.
4.9.4 Certificates
4.9.4.1 Overview
All loaded files (certificates and keys) are shown on this WBM page. You have the following
options for loading files on the device:
● System > Load&Save > HTTP
● System > Load&Save > TFTP
● System > Load&Save > SFTP

4.9 "Security" menu
Figure 4-1 Part 1
Figure 4-2 Part 2

4.9 "Security" menu
Description
● Select
Select the check box in the row to be deleted. Only unused certificates can be deleted.
● Type
Shows the type of the loaded file.
– CA Cert
The CA certificate is signed by a CA (Certification Authority).
– Machine certificate
– Key File
– Remote Cert
Partner certificate
● Filename
Shows the file name.
● Status
Shows whether the certificate is valid or has already expired.
● Subject DN
Shows the name of the applicant.
● Issuer DN
Shows the name of the certificate issuer.
● Issue Date
Shows the start of the period of validity of the certificate
● Expiry Date
Shows the end of the period of validity of the certificate.
● Used
Shows which function uses the certificate.
4.9.4.2 Certificates
The format of the certificate is based on X.509, a standard of the ITU-T for creating digital
certificates. This standard describes the schematic structure of X509 certificates. You will
find further information on this on the Internet at "http://www.itu.int".
On this WBM page, the content of the following structure elements can be displayed. If the
structure element does not exist or is not completed in the selected certificate, nothing is
shown in the box on the right. Certain entries can only be edited if they are supported.

4.9 "Security" menu
Description
● Filename
Select the required certificate.
● Type
Shows the type of the loaded file.
– CA Cert
The CA certificate is signed by a CA (Certification Authority).
– Machine certificate
– Key File
– Remote Cert
Partner certificate
● DN
Shows the name of the applicant.

4.9 "Security" menu
● Issuer DN
Shows the name of the certificate issuer.
● Subject Alternate Name
If it exists, an alternative name of the applicant is displayed.
● Issue Date
Shows the start of the period of validity of the certificate
● Expiry Date
Shows the end of the period of validity of the certificate.
● Serial Number
Shows the serial number of the certificate.
● Used
Shows which function uses the certificate.
● Crypto Algorithm
Shows which cryptographic method is used.
● Key Usage
Shows the purpose that the key belonging to the certificate is used for, e.g. to verify
digital signatures.
● Extended Key Usage
Shows whether the purpose is additionally restricted, e.g. only to verify signatures of the
CA certificate.
● Key File
Shows the key file.
● Certificate Revocation List 1st URL
Enter the URL with which the revocation list can be called up. Can only be edited if
supported by the certificate.
● Certificate Revocation List 2nd URL
Enter an alternative URL. If the revocation list cannot be called up using the 1st URL, the
alternative URL is used. Can only be edited if supported by the certificate.
● Certificate
Shows the name of the certificate.
● Passphrase
Enter the password for the certificate. Can only be edited if the encrypted file is password
protected.
● Passphrase Confirmation
Enter the password again. Can only be edited if the encrypted file is password protected.

4.9 "Security" menu
4.9.5 Firewall
4.9.5.1 General
On this WBM page, you enable the firewall.
Note
Please remember that if you disable the firewall, your internal network is unprotected.
Description
● Activate Firewall
When enabled, the firewall is active.
● TCP Idle Timeout [s]
Enter the required time in seconds. If no data exchange takes place, the TCP connection
is terminated automatically when this time has elapsed.
The range of values is 1 to 21474836.
Default setting: 86400 seconds
● UDP Idle Timeout [s]
Enter the required time in seconds. If no data exchange takes place, the UDP connection
is terminated automatically when this time has elapsed.
● ICMP Idle Timeout [s]
Enter the required time in seconds. If no data exchange takes place, the ICMP
connection is terminated automatically when this time has elapsed.

4.9 "Security" menu
4.9.5.2 Predefined IPv4 rules

The WBM page contains predefined IP packet filter rules. If you create your own IP packet
filter rules, these have a higher priority than the predefined IP packet filter rules.
Here, you can set which services of the device should be reachable from which
interface/subnet.
Description
● Interface
Interface to which the setting relates. The list of interfaces/subnets is dynamic and is
based on the settings from "Layer 3 > Subnet".
– VLANx: Allows access from the IP subnet to the device.
● Access over the firewall is permitted to the following IPv4 services:
– All
All predefined IPv4 services
– HTTP
For access to Web Based Management.
– HTTPS
For secure access to Web Based Management.
Note
HTTP and HTTPS deactivated
If you disable HTTP and HTTPS, the WBM of the device can no longer be reached.
HTTPS disabled
When you disable HTTPS, you can only access the WBM using HTTP. This assumes
that "HTTP & HTTPS" is set in "System > Configuration > HTTP Services". If for
example "Redirect HTTP to HTTPS" is set, access via HTTP cannot be redirected to
HTTPS. This means that the WBM of the device can no longer be reached.

4.9 "Security" menu
– DNS
DNS queries to the device. Necessary only if the "DNS-Relay" function is enabled on
the device.
– SNMP
Incoming SNMP connections. Required, for example, to access the SNMP information
of the device using an MIB browser or SINEMA Server.
– Telnet
For unencrypted access to the CLI.
– IPSec VPN
Allows IKE (Internet Key Exchange) data transfer from the external network to the
device. Necessary if an IPsec VPN remote station needs to establish a connection to
this device.
– SSH
For encrypted access to the CLI.
– DHCP
Access to the DHCP server or the DHCP client
– Ping
Access to the ping function
– System time
Access to NTP and SNTP.
4.9.5.3 User-specific
On this page, you define user-specific rule sets. Firewall rules that are required for remote
access, for example, can be summarized with a rule set.
You can assign a rule set to one or more users. If login of this user was successful, the
firewall rule set intended for this user is enabled.
A timer is started after login. When the time expires, the user is automatically logged out
from the device.

4.9 "Security" menu
Description
"Rule set" area

● Name
Define a unique name for the rule set. If you click the "Create" button, a new row with a
unique number is created.
● Select
● No.
Shows the unique number of the entry.
● Name
Name of the rule set. The name can be changed if required.
● Comment
Comment that describes the rule set in more detail.
● Timeout
Access is time-limited. Specify the duration of the access. If needed, the user can extend
the access time via the "Reset Timeout" button on the "User Specific Firewall" page.

4.9 "Security" menu
"Rule Set Assignment" area

● Type
Specify which rule set will be assigned to whom. The display of the following table
depends on the selection for "Type".
– User Account
The rule set is activated through a user account.
– Digital Input
The rule set is executed by controlling the digital input. The prerequisite for this is that
the entry "Digital Input" is activated for the "Firewall" event under "System > Event >
Configuration".
The "User Account" table contains the following columns:
● User Account
Only the users with remote access "only" or "additional" are displayed.
● Role
Shows the role of the user.
● Rule set
Define the rule set that is valid for this user.
● Remaining Time
When this user is logged on, the remaining time for access is displayed.
● Force Deactivate
A user with administrator rights can log off the active user with this button.
The "Digital Input" table contains the following columns:
● Digital Input
The available digital inputs.
● Rule set
Define the rule set that is controlled via the digital input.
● Dynamic Source (Range)
Enter the IP address or an IP range that is allowed to send IP packets.
● Status
Shows the remaining time for access.

4.9 "Security" menu
4.9.5.4 IP services
On this WBM page, you define IP services. Using the IP service definitions, you can define
firewall rules for specific services. You select a name and assign the service parameters to
it. When you configure the IP rules, you simply use this name.
Description
● Service Name
Enter the name of the IP service. The name must be unique.
● Select
● Service Name
Shows the name of the IP service.
● Transport
Specify the protocol type.
– UDP
The rule applies only to UDP frames.
– TCP
The rule applies only to TCP frames.

4.9 "Security" menu
● Source Port (Range)

Enter the source port. The rule applies specifically to the specified port.
– If the rule is intended to apply to a port range, enter the range with start port "-" end
port, for example 30 - 40.
– If the rule is intended to apply to all ports, enter "*".
● Destination Port (Range)
Enter the destination port. The rule applies specifically to the specified port.
– If the rule is intended to apply to a port range, enter the range with start port "-" end
– If the rule is intended to apply to all ports, enter "*".
4.9.5.5 ICMP services

On this page, you define ICMP services. Using the ICMP service definitions, you can define
firewall rules for specific services. You select a name and assign the service parameters to
it. When you configure the IP rules, you simply use this name.
Description
● Service Name
Enter a name for the ICMP service. The name must be unique.
● Select
● Service Name
Shows the name of the ICMP service.

4.9 "Security" menu
● Protocol
Shows the version of the ICMP protocol.
● Type
Specify the ICMP packet type. A few examples are shown below:
– Destination Unreachable
IP frame cannot be delivered.
– Time Exceeded
Time limit exceeded
– Echo-Request
Echo request, better known as ping.
● Code
The code describes the ICMP packet type in greater detail. The selection depends on the
selected ICMP packet type.
With "Destination Unreachable", for example "Code 1" host cannot be reached.
4.9.5.6 IP protocols
On this WBM page, you can configure user-defined protocols, e.g. IGMP for multicast
groups. You select a protocol name and assign the service parameters to it. When you
configure the IP rules, you simply use this protocol name.
Description
● Protocol Name
Enter a name for the protocol.

4.9 "Security" menu
The page contains the following check boxes:

● Select
● Protocol Name
Shows the protocol name.
● Protocol Number
Enter the protocol number, for example 2. You will find list of the protocol numbers on the
Internet pages of iana.org
Procedure
Create IGMP protocol
1. Enter IGMP in "Protocol Name".
2. Click the "Set Values" button. A new entry is generated in the table.
3. Enter "2" in "Protocol Number".
4.9.5.7 IP rules
On this WBM page, you specify your own IP rules for the firewall.
The IP rules set here have priority:
● Over the predefined IPv4 rules and
● Over the IP rules created automatically due to a connection configuration (SINEMA RC).

4.9 "Security" menu
Description
● IP Version
The version of the IP protocol.
● Rule set
Select the required rule set. Only the IP rules that are assigned to this rule set will then be
displayed in the table, provided that "Show all" is disabled.
● Show all
When enabled, all available IP rules are displayed. With the "Assign" setting, you assign
an IP rule to the selected rule set.
● Select
● Protocol
Shows the version of the IP protocol.
● Action
Select how incoming IP packets are handled:
– "Accept" - The data packets can pass through.
– "Reject" – The data packets are rejected, and the sender receives a corresponding
message.
– "Drop" – The data packets are discarded without any notification to the sender.
● From / To
Specify the communications direction of the IP rule.
– Device: Device
● Source (Range)
Enter the IP address or an IP range that is allowed to receive IP packets.
– Individual IP address:
Enter the IPv4 address.
– IP range
Specify the range with the start address "-" end address, e.g. 192.168.100.10 -
192.168.100.20.

4.9 "Security" menu
– All IP addresses
Specify "0.0.0.0/0".
– DYNAMIC
If the rule set is activated by a user, the placeholder DYNAMIC is replaced by the IP
address of the end device used.
Note
Digital input and DYNAMIC placeholder
If the rule set is executed by controlling the digital input, the placeholder DYNAMIC is
replaced by the setting for "Dynamic Source (Range)". You configure the setting in
"Security > Firewall > User-specific".
Destination (Range)
Enter the IP address or an IP range that is allowed to receive IP packets.
– Individual IP address:
Enter the IPv4 address.
– IP range
Specify the range with the start address "-" end address, e.g. 192.168.100.10 -
192.168.100.20.
– All IP addresses
Specify "0.0.0.0/0".
● Service
Select the service or the protocol name for which this rule is valid.
● Log
Specify whether or not there should be a log entry every time the rule comes into effect
and specify the severity of the event.
The following settings are available:
– none
The rule coming into effect is not logged.
– info / warning / critical
The rule coming into effect is logged with the selected event severity. The log file is
displayed in "Information" > "Log Tables" > "Firewall Log".
● Precedence
In ascending order starting with 0, you define the sequence in which the IP rules of the
firewall are processed.
● Assign
To assign the IP rules to the selected rule set, activate the setting for the desired rule set
and click the "Set Values" button.

4.9 "Security" menu
● Assigned
Shows the rule set to which this IP rule is assigned. The IP rules can also be assigned to
multiple rule sets. If the IP rule is assigned to all rule sets, "all" is displayed.
● Name
Shows who created the IP rule.
– NETMAP - automatically created firewall rule
4.9.6 IPsec VPN
4.9.6.1 General
On the WBM page, you configure the basic settings for VPN.
Description
● Activate IPsec VPN
Enable or disable the IPsec protocol for VPN.
● Enforce strict CRL Policy
When enabled, the validity of the certificates is checked based on the CRL (Certificate
Revocation List). The certificate revocation list lists the certificates issued by the
certification authority that have lost their validity before the set expiry date. You configure
the certificate revocation list to be used on the WBM page "Certificates (Page 279)".
● NAT Keep Alive Time Interval
Specify the interval at which sign of life frames (keepalives) are sent. If there is a NAT
device between two VPN endpoints, when there is inactivity, the connection is deleted
from its dynamic NAT table. To prevent this, keepalives are sent.

4.9 "Security" menu
4.9.6.2 Remote End

On this WBM page, you configure the partner (VPN end point).
Description
● Remote End Name
Enter the name of the remote station and click "Create" to create a new remote station.
● Select
● Name
Shows the name of the partner.
● Remote Mode
Specify the role the remote stations will adopt.
– Roadwarrior
The reachable remote addresses are entered. The reachable remote subnets are
learned from the partner.
– Standard
The reachable remote address and the reachable remote subnets are entered
permanently.
● Remote Type
Specify the type of remote station address.
– Manual
The address of the partner is known. The device can either establish the VPN
connection actively as a VPN client or wait passively for connection establishment by
the partner.
– Any
Accepts the connection from remote stations with any IP address address. The device
can only wait for VPN connections but cannot establish a VPN tunnel as the active
partner.

4.9 "Security" menu
● Remote Address
Can only be edited with the remote type "Manual".
– In standard mode, enter the WAN IP address or the DDNS hostname of the partner.
The network mask is always 32
– In Roadwarrior mode, you can specify either the address of the partner or enter an IP
range from which connections will be accepted.
● Remote Subnet
– In standard mode, enter the remote subnet of the remote station. Use the CIDR
notation.
– In Roadwarrior mode, the remote address informs the device of its reachable subnets
and the device learns them.
● Virtual IP Mode
Specify whether or not the remote station is offered a virtual IP address.
The following options are available:
– User defined IPv4
The virtual IP address is from the band specified in "Virtual IP".
– None
No virtual IP address. The VPN tunnel is established dynamically to the internal IP
address of the remote station.
● Virtual IP
Specify the subnet (CIDR) from which the remote station is offered a virtual IP address.
Can only be edited if "user defined IPv4" is selected in "Virtual IP Mode".
Procedure
Configure VPN standard mode
1. Enter the name of the remote station in "Remote End Name".
3. For "Remote Mode", select "Standard".
4. For "Remote Type", select "manual".
5. In "Remote Address", enter the WAN IP address and in "Remote Subnet" the subnet of
the remote station.

4.9 "Security" menu
Configure VPN Roadwarrior mode

1. Enter the name of the remote station in "Remote End Name".
3. For "Remote Mode", select "Roadwarrior".
4. For "Remote Type", select "Any".
5. In "Remote Address", enter the IP address of the remote network.
6. In "Virtual IP Mode", specify how the IP address of the VPN gateway is obtained.
4.9.6.3 Connections
On the WBM page, you configure the basic settings for the VPN connection. With these
settings, the device (local endpoint) can establish a secure VPN tunnel to the partner. You
specify the security settings on the WBM page "Authentication".
Note
Several IPsec VPN connections via the same VPN endpoint
If you have created IPsec VPN connections to different remote subnets via the same VPN
endpoint, the first configured VPN connection (lowest index) is the main connection (parent).
Via the main connection all other IPsec VPN connections (children) are created and
established. If all VPN tunnels are now established and the main (parent) connection is
terminated all child connections are interrupted. After the DPD timeout has expired, all IPsec
VPN connections are reestablished via the main connection.
If only one child connection is terminated, the parent connection and the other child
connections are retained.
Note
IPsec: Restrictions for phase 2 connections
Create a maximum of 20 phase 2 connections per phase 1 (remote endpoint).
Note
If you use "NETMAP"
• only auto firewall rules are supported
• For "Operation" the setting "on demand" cannot be selected.

4.9 "Security" menu
Description
● Connection name
Enter a name for the VPN connection and click "Create" to create a new connection.
● Select
● Name
Shows the name of the VPN connection.
● Operation
Specify who establishes the VPN connection. You will find more detailed information in
"Technical basics > VPN connection establishment (Page 59)".
– Disabled
The VPN connection is disabled.
– start
The device attempts to establish a VPN connection to the partner.
– wait
The device waits for the remote station to initiate the connection establishment.
– on demand
The VPN connection is established when necessary.
– start on DI
If the event "Digital In" occurs the device attempts to establish a VPN connection to
the remote station.
This is on condition that the event "Digital In" is forwarded to the VPN connection. To
do this in "System > Events > Configuration" activate "VPN Tunnel" for the "Digital In"
event.

4.9 "Security" menu
– wait on DI
If the event "Digital In" occurs, the device waits for the remote station to initiate
connection establishment.
do this in "System > Events> Configuration" activate "VPN Tunnel" for the "Digital In"
event.
● Keying Protocol
Specify whether IKEv2 or IKEv1 will be used.
● Remote End
Select the required remote station. Only partners can be configured that have been
configured on the "Remote End" WBM page.
● Local Subnet
Enter the local subnet. Use the CIDR notation. The local network can also be a single PC
or another subset of the local network.
● Request Virtual IP
When enabled, a virtual IP address is requested from the remote station during
connection establishment.
● Timeout [sec]
Only necessary with the “on demand" setting. Enter the interval after which the VPN
connection will be terminated. If no packets are sent during this time, the VPN connection
is automatically terminated.
4.9.6.4 Authentication
On this WBM page, you specify how the VPN connection partners authenticate themselves
with each other.

4.9 "Security" menu
Description
● Name
Shows the name of the VPN connection to which the settings relate.
● Authentication
Select the authentication method. For the VPN connection, it is essential that the partner
uses the same authentication method.
– Disabled
No authentication method is selected. Connection establishment is not possible.
– Remote Cert
The remote certificate is used for authentication. You specify the certificate in "Remote
Certificate"
– CA Cert
The certificate of the certification authority is used for authentication. You specify the
certificate in "CA Certificate".
– PSK
A key is used for authentication. You configure the key in "PSK".
● CA Certificate
Select the certificate. Only loaded certificates can be selected.
● Local Certificate
Select the machine certificate.
You load the certificates on the device with "System > Load&Save". The loaded
certificates and key files are shown on the WBM page "Security > Certificates".
● Local ID
Enter the local ID from the partner certificate. Only when you use the partner certificate
can you leave the box empty. The box is automatically filled with the value from the
partner certificate.
● Remote Certificate
Select the remote station certificate. Only loaded remote certificates can be selected.
● Remote ID
Enter the "Distinguished Name" or "Alternate Name" from the partner certificate. Only
when you use the partner certificate can you leave the box empty. The box is
automatically filled with the value from the partner certificate.
● PSK
Enter the key.
● PSK Confirmation
Repeat the key.

4.9 "Security" menu
4.9.6.5 Phase 1
Phase 1: Encryption agreement and authentication (IKE = Internet Key Exchange)

On this WBM page, you set the parameters for the protocol of the IPsec key management.
The key exchange uses the standardized IKE method for which you can set the following
protocol parameters.
Description
● Name
● Default Ciphers
When enabled, a preset list is transferred to the VPN connection partner during
connection establishment. The list contains a combination of the three algorithms
(Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN
connection partner must support at least one of the combinations. The selection depends
on the key exchange method. Additional information can be found in the section "IPsec
VPN".
● Encryption
For phase 1, select the required encryption algorithm. Can only be selected if "Default
Ciphers" is disabled.
The selection depends on the key exchange method. Additional information can be found
in the section "IPsec VPN".
Note
The AES modes CCM and GCM contain separate mechanisms for authenticating data. If
you use a mode AES x CCM for "Encryption", this is also used for authentication. Then
only the pseudo random function will be derived from the "Authentication" parameter. So
that a VPN connection can be established, all devices need to use the same settings.

4.9 "Security" menu
● Authentication
Specify the method for calculating the checksum. Can only be selected if "Default
The following methods are supported:
– MD5
– SHA1
– SHA512
– SHA256
– SHA384
● Key derivation
Select the required Diffie-Hellmann group (DH) from which a key will be generated. Can
only be selected if "Default Ciphers" is disabled.
The following DH groups are supported:
– DH group 1
– DH group 2
– DH group 5
– DH group 14
– DH group 15
– DH group 16
– DH group 17
– DH group 18
● Keying Tries
Enter the number of repetitions for a failed connection establishment. If you enter the
value 0, the connection establishment will be attempted endlessly.
● Lifetime [min]
Enter a period in minutes to specify the lifetime of the authentication. When the time has
elapsed, the VPN endpoints involved must authenticate themselves with each other again
and generate a new key
● DPD
When enabled, DPD (Dead Peer Detection) is used. Using DPD, it is possible to find out
whether the VPN connection still exists or whether it has aborted.
Note
Sending DPD queries increases the amount of data sent and received. This can lead to
increased costs.
● DPD Period [sec]

Enter the period after which DPD requests are sent. These queries test whether or not
the remote station is still available

4.9 "Security" menu
● DPD Timeout [sec]

Enter a period. If there is no response to the DPD queries, the connection to the remote
station is declared to be invalid after this time has elapsed.
Note
To avoid unwanted connection breakdowns, set the DPD timeout significantly higher than
the DPD period. We recommend setting it at least 2 minutes longer than the DPD period.
● Aggressive Mode
– Disabled:
Main Mode is used.
– Enabled
Aggressive Mode is used
The difference between main and aggressive mode is the "identity protection" used in
main mode. The identity is transferred encrypted in main mode but not in aggressive
mode.
4.9.6.6 Phase 2
Phase 2: Data exchange (ESP = Encapsulating Security Payload)

On this WBM page, you set the parameters for the protocol of the IPsec data exchange. The
entire communication during this phase is encrypted using the standardized security protocol
ESP for which you can set the following protocol parameters.
Description
● Name
● Default Ciphers
When enabled, a preset list is transferred to the VPN connection partner during
connection establishment. The list contains a combination of the three algorithms
(Encryption, Authentication, Key Derivation). To establish a VPN connection, the VPN

4.9 "Security" menu
connection partner must support at least one of the combinations. Further information can
be found in the section "IPsec VPN".
● Encryption
For phase 2, select the required encryption algorithm. Can only be selected if "Default
Further information can be found in the section "IPsec VPN".
Note
The AES modes CCM and GCM contain separate mechanisms for authenticating data. If
you use a mode AES x CCM or AES x GCM for "Encryption", this will also be used for
authentication. Then only the pseudo random function will be derived from the
"Authentication" parameter.
● Authentication
Specify the method for calculating the checksum. Can only be selected if "Default
The following methods are supported:
– MD5
– SHA1
– SHA512
– SHA256
– SHA384
● Key Derivation
Select the required Diffie-Hellmann group (DH) from which a key will be generated. Can
only be selected if "Default Ciphers" is disabled.
The following DH groups are supported:
– None: For phase 2, no separate keys are exchanged. This means that Perfect
Forward Secrecy (PFS) is disabled.
– DH group 1
– DH group 2
– DH group 5
– DH group 14
– DH group 15
– DH group 16
– DH group 17
– DH group 18
Note
So that a VPN connection can be established, all devices need to use the same settings
or provide compatible key procedures..

4.9 "Security" menu
● Lifetime [min]
Enter a period in minutes to specify the lifetime of the agreed keys. When the time
expires, the key is renegotiated.
● Lifebytes
Enter the data limit in bytes that specifies the lifetime of the agreed key. When the data
limit is reached, the key is renegotiated.
● Protocol
Specify the protocol for which the VPN connection is valid e.g. UDP, TCP, ICMP. If the
setting is intended to apply to all protocols, enter "*".
● Port (Range)
Specify the port via which the VPN tunnel can communicate. The setting applies
specifically to the specified port
– If the setting is intended to apply to a port range, enter the range with start port "-" end
– If the setting is intended to apply to all ports, enter "*".
The setting is only effective for port-based protocols.
● Auto Firewall Rules
– enabled
The firewall rules are created automatically for the VPN connection.
– disabled
You will need to create the firewall rules yourself.
4.9.7 OpenVPN client
4.9.7.1 General
On this WBM page, you enable the OpenVPN client.

4.9 "Security" menu
Description
● Activate OpenVPN Client
Enable or disable the OpenVPN client.
4.9.7.2 Connections
On this WBM page, you configure the basic settings for the OpenVPN connection. You
specify the security settings on the WBM page "Authentication".
Description
● Connection name
Enter a unique name for the OpenVPN connection and click "Create" to create a new
connection.
● Select
● Name
Shows the name of the OpenVPN connection.

4.9 "Security" menu
● Operation
Specify how the connection is established. You will find more detailed information in
"Technical basics > VPN connection establishment (Page 59)".
– start
The device attempts to establish a VPN connection to the partner.
– Start on DI
If the event "Digital In" occurs the device attempts to establish a VPN connection to
the remote station.
do this in "System > Events> Configuration" activate "VPN Tunnel" for the "Digital In"
event.
– Disabled
The VPN connection is disabled.
● Encryption
Select the required encryption algorithm.
– AES-128-CBC (Default)
– AES-192-CBC
– AES-256-CBC
– DES-EDE3
– BF-CBC
● Authentication
Specify the method for calculating the checksum.
– SHA256 (default)
– SHA384
– SHA512
– SHA224
– SHA1
– MD5
● Use LZO
When enabled, the data is compressed with the LZO algorithm.

4.9 "Security" menu
● Auto Firewall Rules

– Enabled
The firewall rules are created automatically for the VPN connection.
– Disabled
You will need to create the suitable firewall rules yourself.
● Enable NAT
With this setting, you enable automatic IP masquerading for this interface. The local
devices are not directly reachable from the outside, but only via the IP address of the
interface. The local devices can, however, connect to the devices downstream from the
OpenVPN server. You will find more information on NAT in "Technical basics > NAT
(Page 49)".
4.9.7.3 Remote
On this WBM page, you configure the partner (OpenVPN end point). Per connection, you
can specify several OpenVPN partners. The device tries all configured OpenVPN partners
one after the other until a connection is successfully established.
Description
● Remote Name
Enter a name for the OpenVPN partner and click "Create" to create a new partner.
● Select
● Name
Shows the name of the Open VPN partner.

4.9 "Security" menu
● Connection
Select the corresponding connection. Only connections can be configured that have been
configured on the "Connections" WBM page.
● Remote Address
Enter the WAN IP address or the DNS host name of the OpenVPN partner.
● Port
Specify the port via which the OpenVPN tunnel can communicate. The setting applies
specifically to the specified port.
● Protocol
Specify the protocol for which the OpenVPN connection will be used.
● Proxy
Specify whether the OpenVPN tunnel to the defined OpenVPN partner is established via
a proxy server. Only the proxy servers can be selected that you configured in "System >
Proxy Server".
4.9.7.4 Authentication
On this WBM page, you specify how the VPN connection partners authenticate themselves
with each other.
Description
● Name
● Method
Select the authentication method. For the VPN connection, it is essential that the partner
uses the same authentication method.
– Disabled
No authentication method is selected. Connection establishment is not possible.

4.9 "Security" menu
– Certificates
Certificates are used for the authentication.
– User name/Password
The user name/password are used for the authentication.
● CA Certificate
Select the certificate. Only loaded certificates can be selected.
● Machine certificate
Select the machine certificate. Only loaded certificates can be selected.
● User Name
Specify the user name.
● Password
Enter the password.

4.9 "Security" menu

Upkeep and maintenance 5
5.1 Device configuration with PRESET-PLUG
Please not the additional information and security notes in the operating instructions of your
device.
NOTICE
Do not remove or insert a PLUG during operation
Note
Support as of V4.3
The PRESET-PLUG functionality is supported as of firmware version V4.3.
With the PRESET-PLUG, you can install the same device configuration (start configuration,
user accounts, certificates) including the corresponding firmware on multiple devices.
The PRESET PLUG is write-protected.
You configure the PRESET PLUG using the Command Line Interface (CLI).
Creating a PRESET-PLUG
You create the PRESET PLUG using the Command Line Interface (CLI). You can create a
PRESET-PLUG from any PLUG. To do this, follow the steps outlined below:
Note
Using configurations with DHCP
Create a PRESET-PLUG only from device configurations that use DHCP. Otherwise
disruptions will occur in network operation due to multiple identical IP addresses.
You assign fixed IP addresses extra following the basic installation.
Requirement
● A PLUG is inserted in the device on which you want to configure the PRESET-PLUG
functionality.

Upkeep and maintenance
Procedure
1. Start the remote configuration using CLI and log on as a user with the "admin" role.
The CLI connection works either with Telnet (port 23) or SSH (port 22).
2. Switch to the global configuration mode with the command "configure terminal".
3. You change to the PLUG configuration mode with the "plug" command.
4. Create the PRESET-PLUG with the "presetplug" command.
The firmware version of the device and the current device configuration incl. user
accounts and certificates are stored on the PLUG and the PLUG is then write protected.
5. Turn off the power to the device.
6. Remove the PRESET-PLUG.
7. Start the device either with a new PLUG inserted or with the internal configuration.
Procedure for installation with the aid of the PRESET-PLUG

2. If it exists, remove the PLUG from the slot. You will find further information on this in the
operating instructions of your device.
3. Insert the PRESET-PLUG correctly oriented into the slot. The PRESET-PLUG is correctly
inserted when it is completely inside the device and does not jut out of the slot.
4. Turn on the power to the device again.
If there is a different firmware version on the device to be installed compared with that on
the PRESET-PLUG, an upgrade/downgrade of the firmware is performed. You can
recognize this by the red F-LED flashing (flashing interval: 2 sec on/0.2 sec off).
Afterwards the device is restarted and the device configuration incl. users and certificates
on the PRESET-PLUG is transferred to the device.
5. Wait until the device has fully started up.
(the red F-LED is off)
6. Turn off the power to the device after the installation.
7. Remove the PRESET-PLUG.
8. Start the device either with a new PLUG inserted or with the internal configuration.
Note
KEY-PLUG
If you have created the PRESET-PLUG from a KEY-PLUG, for operation with this
configuration, you require an inserted KEY-PLUG with factory settings.
IN this case before recommissioning the device you need to insert the relevant KEY-
PLUG.

Note
Restore factory defaults and restart with a PRESET PLUG inserted
If you reset a device to the factory defaults, when the device restarts an inserted PRESET
PLUG is formatted and the PRESET PLUG functionality is lost. You then need to create a
new PRESET PLUG. The keys stored on the KEY-PLUG for releasing functions are
retained.
We recommend that you remove the PRESET PLUG before you reset the device to the
factory settings.
Formatting a PRESET-PLUG (resetting the preset function)

You format the PRESET PLUG using the Command Line Interface (CLI) to reset the preset
function. To do this, follow the steps outlined below:
1. Start the remote configuration using Telnet (CLI) and log on with a user with the "admin"
role.
2. Change to the Global configuration mode with the command "configure terminal".
3. You change to the PLUG configuration mode with the "plug" command.
4. Enter the command "factoryclean".
The PRESET-PLUG is formatted and the preset function is reset.
5. Write the current configuration of the device with the "write" command.
Requirement
● The device has an IP address.
● The user is logged in with administrator rights.
Firmware update via HTTP

1. Click "System" > "Load&Save" in the navigation area. Click the "HTTP" tab.
2. Click the "Loading" button next to "Firmware".
3. Go to the storage location of the firmware file.
4. Click the "Open" button in the dialog.
Firmware update via TFTP

1. Click "System > Load&Save" in the navigation area. Click the "TFTP" tab.
2. Enter the IP address of the TFTP server in the "TFTP Server Address" input box.
3. Enter the port of the TFTP server in the "TFTP Server Port" input box.
4. Click the "Load file" button in the "Firmware" table row.


6. Click the "Open" button in the dialog. The file is uploaded.
Firmware update via SFTP

1. Click "System > Load&Save" in the navigation area. Click the "SFTP" tab.
2. Enter the IP address of the SFTP server in the "SFTP Server Address" input box.
3. Enter the port of the SFTP server in the "SFTP Server Port" input box.
4. Enter the user and the password for access to the SFTP server.
5. Click the "Load file" button in the "Firmware" table row.
7. Click the "Open" button in the dialog. The file is uploaded.
Result
When the firmware is successfully loaded a dialog is displayed . Confirm the dialog with
"OK". The device is restarted.
In "Information" > "Versions" there is the additional entry "Firmware_Running".
Firmware_Running shows the version of the current firmware. Firmware shows the firmware
version stored after loading the firmware.

5.2 Firmware update using WBM not possible
Cause
If there is a power failure during the firmware update, it is possible that the device is no
longer accessible using WBM and CLI.
Requirement
● The PC is connected to the device via the interfaces (P1 - P4).
● A TFTP client is installed on the PC and the firmware file exists.
Solution
You can then also transfer firmware to the device using TFTP.
Follow the steps below to load new firmware using TFTP:
1. Now press the SET button.
2. Hold down the button until the red fault LED (F) starts to flash after approximately 3
seconds.
Note
If you hold down the SET button for approximately 10 seconds, the device is reset to its
factory settings and can be reached with the IP address 192.168.1.1.
3. Now release the button. The bootloader waits in this state for new firmware file that you
can download by TFTP.
Note
If you want to exit the boot loader without making changes, press the SET button briefly.
The device restarts with the loaded configuration.
4. Connect a PC to the device over the Ethernet interface (P1 - P4).

5. Open a DOS box and change to the directory where the new firmware file is located and
then execute the command "tftp -i <ip address> PUT <firmware>". As an alternative, you
can use a different TFTP client.
If you are not sure that the IP address is correct, you can check this, for example with the
Primary Setup Tool.
Note
Using TFTP
If you want to access TFTP in Windows 7, make sure that the corresponding Windows
function is enabled in the operating system.

Result
The firmware is transferred to the device.
Note
Please note that the transfer of the firmware can take several minutes. During the
transmission, the red error LED (F) flashes.
Once the firmware has been transferred completely to the device, the device is restarted
automatically.

5.3 Restoring the factory settings
NOTICE
Previous settings
If you reset, all the settings you have made will be overwritten by factory defaults.
NOTICE
Inadvertent reset
An inadvertent reset can cause disturbances and failures in a configured network with
further consequences.
With the reset button

When pressing the button, remember the information in the section "Reset button" in the
operating instructions.
Follow the steps below to reset the device parameters to the factory settings:
2. Now press the Reset button and reconnect the power to the device while holding down
the button.
3. Hold down the button until the red fault LED (F) stops flashing after approximately 10
seconds and is permanently lit.
4. Now release the button and wait until the fault LED (F) goes off again.
5. The device then starts automatically with the factory settings.
Via the configuration

You will find detailed information on resetting the device parameters using the WBM and CLI
in the configuration manuals:
● Web Based Management, section "Restart"
● Command Line Interface, section "Reset and Defaults"


Appendix A A
A.1 Format of the syslog messages
The devices generate Syslog messages (UDP default port 514) according to RFC 5424 that
contain the following boxes.
PRIORITY
PRIORITY contains the coded priority of the Syslog message broken down into a Severity
and Facility box.
● Facility
● Severity
VERSION
● Set to 1.
HEADER
● TIMESTAMP according to RFC 3339
● Host name
● APPNAME, PROGID and MSGID: If no information is known, the "-" character is output.
STRUCTURED DATA
● timeQuality block
MESSAGE:
● ASCII string in English
HOSTNAME_CONTENT:
● IPv4 address according to RFC1035: Each byte is represented in decimal, with a dot
separating it from the previous one. XXX.XXX.XXX.XXX
● IPv6 address according to RFC4291 Section 2.2
Note
Additional information about the meaning of the boxes is available in RFC 5424.
https://tools.ietf.org/html/rfc5424

Appendix A
A.2 Parameters in Syslog messages

The Syslog messages can contain the following parameters:
Parameter Description Possible values or example

ip address IPv4 or IPv6 address IP address according to
RFC1035 or RFC4291
Section 2.2
src port Port that is shown as decimal number. 0 ... 65535
dest port Format: %d
client mac MAC address 00:0C:29:2F:09:B3
dest mac Format: %02x:%02x:%02x;%02x:%02x:%02x
src mac
protocol Name of the service that has generated this Possible entries of:
event or of the Layer 4 protocol used. UDP | TCP | WBM | Telnet |
Format: %s SSH | Console | TFTP
| SFTP
group String that identifies the group based on its name it-service
Format: %s
user name String that identifies the authenticated user based maier
on his/her name
without spaces
Format: %s
local interface Symbolic name for the local interface Console
Format: %s
action user name Identifies the user based on his/her name This is Peter.Maier
not the authenticated user.
Format: %s
role Symbolic name for the group role Administrator
Format: %s
time minute Number of minutes 44
timeout Format: %d
time second Number of seconds 44
Format: %d
failed login count Number of failed logins 10
Format: %d
max sessions Number of sessions 10
Format: %d
vap Symbolic name of the virtual access point inter- VAP1.1
face
Format: (%s) or (%s %s)
status reason Additional status information as legible string. It (Invalid group cipher) (Un-
can contain multiple words. The string must start known peer)
with " and end with " so that it can be analyzed.
wlan interface Symbolic name of the WLAN interface WLAN1
Format: %s

Appendix A
Parameter Description Possible values or example

ssid SSID in ASCII representation MyWLAN
any number of spaces
Format: %s
channel Name of the channel 12
Format: %s
signal strength Signal strength 12
Format: %d
version Name of the version V1.0.3SP1
without spaces
Format: %s
resource Resource name FullReadAccess
without spaces protected by the protection level
concept
Format: %s
trigger condition String for a trigger condition that enables the I/O pin FB 88
respective function
without spaces
Format: %s
trigger pin String for an IO pin that triggers the event DI1
without spaces
Format: %s
firewall rule String for a firewall rule Rule1
with spaces
Format: %s
subject String for the subject in the certificate. Used as (Peter Maier)
part of the certificate-based authentication
with spaces and must also include Unicode char-
acters
Format: (% S) or (% S% S) for UTF8 code.
config detail String for the configuration OpenVPN
with spaces
Format: %s
connection name Name of the VPN connection to_Baugruppe1
firewall Firewall action executed (accepted package) ACCEPT
accept
firewall action reject Firewall action executed (rejected package) REJECT DROP
length Length of the network packet (in bytes) 52
Format: %d
network interface Symbolic name of a network interface vlan 1
Format: %s

Appendix A
A.3 Syslog messages
A.3 Syslog messages

This section describes selected Syslog messages. The selection is based on IEC 62443-3-3.
This means you can integrate these events into a central monitoring system (SIEM).
Identification and authentication of human users
Log Message Console: User {user name} logged in.

Standard IEC 62443-3-3 Reference: SR1.1
Description Valid login information that is specified during local login.
Example Console: User admin logged in.
Severity Info
Facility local0
Log text Console: Default user {user name} logged in.

Standard IEC 62443-3-3 Reference: n/a (NERC-CIP 007-R5)
Description User is logged in with default user name and password.
Example Console: Default user admin logged in.
Severity Info
Facility local0
Log text {protocol}: User {user name} logged in from {ip address}.
Description Valid login information that is specified during remote login.
Example WBM: User admin logged in from 192.168.0.1.
Severity Info
Facility local0
Log text {protocol}: Default user {user name} logged in from {ip address}.
Standard IEC 62443-3-3 Reference: n/a (NERC-CIP 007-R5)
Description User logged in with default user name and password.
Example SSH: Default user admin logged in from 192.168.0.1.
Severity Info
Facility local0
Log text Console: User {user name} logged out.

Description User session completed - logged out.
Example Console: User admin logged out.
Severity Info
Facility local0

Appendix A
A.3 Syslog messages
Log text {protocol}: User {user name} logged out from {ip address}.
Description User session completed - logged out.
Example SSH: User admin logged out from 192.168.0.1.
Severity Info
Facility local0
Log text Console: User {user name} failed to log in.

Description Incorrect user name or incorrect password (login information) specified during
local login.
Example Console: User testuser failed to log in.
Severity Warning
Facility local0
Log text {protocol}: User {user name} failed to log in from {ip address}.
Description Incorrect user name or incorrect password (login information) specified during
remote login.
Example SSH: User testuser failed to log in from 192.168.0.1.
Severity Warning
Facility local0
Identification and authentication of devices (access via firewall)
Log text {firewall action accept}(1) in:{network interface} out:{network interface}

len:{length} s-mac:{src mac} d-mac:{dest mac}
s-ip:{ip address} d-ip:{ip address}
{protocol}:{src port}->{dest port}
Standard IEC 62443-3-3 Reference: SR 1.2
Description A known device requested a connection.
Example ACCEPT(1) in:vlan1 out:ppp0 len:52
s-mac:58:EF:68:B3:FA:CE d-mac:00:1B:1B:A7:5B:D8
s-ip:172.23.1.6 d-ip:158.85.11.68 tcp:53788->443
Severity Info or Warning or Error (configurable)
Facility local0

Appendix A
A.3 Syslog messages
Log text {firewall action reject}(1) in:{network interface} out:{network interface}

len:{length} s-mac:{src mac} d-mac:{dest mac}
s-ip:{ip address} d-ip:{ip address}
{protocol}:{src port}->{dest port}
Description An unknown device requested a connection. Request was denied.
Example REJECT(1) in:vlan1 out:ppp0 len:52
s-mac:58:EF:68:B3:FA:CE d-mac:00:1B:1B:A7:5B:D8 s-ip:172.23.1.6 d-
ip:217.194.40.109
tcp:53773->443
Severity Info or Warning or Error (configurable)
Facility local0
Identification and authentication of device (connection via TIA Portal Cloud Connector)
Log text Cloud Connector:Connection number {config detail} from {ip address} estab-
lished.
Description A known device requested a connection. (Connection via TIA Portal Cloud Con-
nector)
Example Cloud Connector: Connection number 10 from 192.168.55.111 established.
Severity Info
Facility local0
Log text Cloud Connector: Connection number {config detail} from {ip address} closed.
Description An unknown device requested a connection. Request was denied. (Connection
via TIA Portal Cloud Connector)
Example Cloud Connector: Connection number 6 from 192.168.55.111 closed.
Severity Info
Facility local0
User account management
Log text {protocol}: User {user name} changed own password.

Description User has changed own password.
Example WBM: User admin changed own password.
Severity Info
Facility local0

Appendix A
A.3 Syslog messages
Log text {protocol}: User {user name} changed password of user {action user name}.
Description User has changed other password.
Example Console: User admin changed password of user test.
Severity Info
Facility local0
Log text {protocol}: User {user name} created user-account {action user name}.
Description The administrator created a new account.
Example WBM: User admin created user-account joachim.
Severity Info
Facility local0
Log text {protocol}: User {user name} deleted user-account {action user name}.
Description The administrator deleted an existing account.
Example WBM: User admin deleted user-account joachim.
Severity Info
Facility local0
Management of the identifiers
Log text {protocol}: User {user name} created group {group}.

Description The administrator has created a group.
Example WBM: User admin created group it-service.
Severity Info
Facility local0
Log text {protocol}: User {user name} deleted group {group}.

Description The administrator deleted an existing group.
Example WBM: User admin deleted group it-service.
Severity Info
Facility local0

Appendix A
A.3 Syslog messages
Failed login attempts
Log text User {user name} account is locked for {time} minutes after {failed login count}
unsuccessful login attempts.
Description If there are too many failed logins, the corresponding user account was locked
for a specific period of time.
Example User admin account is locked for 10 minutes after 30 unsuccessful login at-
tempts.
Severity Warning
Facility local0
Access via untrusted networks (IPsec)
Log text [IKE] <{connection name}|{config detail}> IKE_SA {connection name}[{config

detail}]
established between {ip address}[{config detail}]...{ip address}[{config detail}]
Standard IEC 62443-3-3 Reference: n/a (NERC CIP 005-R1)
Description VPN connection established. (IPsec)
Example [IKE] <c1|3> IKE_SA c1[1] established between 192.168.55.210[lokal]..
192.168.55.211[remote]
Severity Info
Facility local0
Log text [IKE] <{connection name}|{config detail}> deleting IKE_SA {connection

name}[{config detail}] between {ip address}[{config detail}]...{ip address}[{config
detail}]
Description VPN tunnel is closed. (IPsec)
Example [IKE] <c1|3> deleting IKE_SA c2[1] between
192.168.55.211[lokal].. 192.168.55.210[remote]
Severity Info
Facility local0
Log text [IKE] <{connection name}|{config detail}> received AUTHENTICATION_FAILED

notify error
Description Authentication of VPN connection failed (IPsec).
Example [IKE] <c1|1> received AUTHENTICATION_FAILED notify error
Severity Warning
Facility local0

Appendix A
A.3 Syslog messages
Access via untrusted networks (OpenVPN)
Log text OVPN_{connection name}[{config detail}]: Initialization Sequence Completed

Description VPN connection established. (OpenVPN)
Example OVPN_Conn_1[2427]: Initialization Sequence Completed
Severity Info
Facility local0
Log text OpenVPN connection {connection name} has been deactivated.

Description VPN connection was closed (OpenVPN).
Example OpenVPN connection c1 has been deactivated.
Severity Critical
Facility local0
Access via untrusted networks (SINEMA Remote Connect)
Log text SINEMA RC - State of Digital Input changed to HIGH. SINEMA RC - OpenVPN
connection established.
Description Remote access is permitted. (SINEMA RC, Digital Input)
Example SINEMA RC - State of Digital Input changed to HIGH.
SINEMA RC - OpenVPN connection established.
Severity Info
Facility local0
Log text SINEMA RC - Received Wakeup SMS.

Description Remote access is permitted. (SINEMA RC, Wakeup SMS)
Example SINEMA RC - Received Wakeup SMS.
Severity Info
Facility local0

Appendix A
A.3 Syslog messages
Log text SINEMA RC - State of Digital Input changed to LOW. SINEMA RC - OpenVPN
terminated.
Description Remote access denied (SINEMA RC, Digital Input)
Example SINEMA RC - State of Digital Input changed to LOW.
SINEMA RC - OpenVPN terminated.
Severity Info
Facility local0
Log text SINEMA RC - Received Shutdown SMS. SINEMA RC - OpenVPN terminated.

Description Remote access denied (SINEMA RC, Wakeup SMS)
Example SINEMA RC - Received Shutdown SMS.
SINEMA RC - OpenVPN terminated.
Severity Info
Facility local0
Authorization enforcement (access via custom firewall)
Log text User specific firewall user "{user name}" activated rule set "{firewall rule}" with ip
address "{ip address}". Timeout is set to {timeout} minutes.
Description User has logged onto the user-specific firewall. (USF Digital User Login)
Example User specific firewall user "usf" activated rule set "rs1" with ip address
"172.23.1.14". Timeout is set to 5 minutes.
Severity Info
Facility local0
Log text User specific firewall user "{user name}" activated rule set "{firewall rule}" with ip
address "{ip address}". Timeout is set to {timeout} minutes.
Description User has logged onto the user-specific firewall. (USF Digital Input Login)
Example User specific firewall digital input {trigger pin} activated rule set "{firewall rule}"
with ip address "{ip address}".
Severity Info
Facility local0

Appendix A
A.3 Syslog messages
Log text User specific firewall user "{user name}" ruleset "{firewall rule}" time expired.
Description Access to the user-specific firewall denied. Access time expired. (USF User
Logout)
Example User specific firewall user "usf" ruleset "rs1" time expired.
Severity Warning
Facility local0
Log text User specific firewall user "{user name}" logged out by administrator configura-
tion.
Description Access to the user-specific firewall denied. The device administrator deactivates
the user using the "Force Deactivate" button. (USF user force log out by admin)
Example User specific firewall user "usf" logged out by administrator configuration.
Severity Warning
Facility local0
Log text User specific firewall user "{user name}" deactivated by administrator configura-
tion.
Description Access to the user-specific firewall denied. The device administrator has deac-
tivated the user. (USF user deactivated by admin)
Example User specific firewall user "usf" deactivated by administrator configuration.
Severity Warning
Facility local0
Log text User specific firewall digital input {trigger pin} deactivated rule set "{firewall
rule}".
Description Access to the user-specific firewall denied; corresponding rule set was deac-
tivated. (USF Digital Input Logout)
Example User specific firewall digital input 1 deactivated rule set "rs1".
Severity Warning
Facility local0

Appendix A
A.3 Syslog messages
Session lock
Log text The session of user {user name} was closed after {time} seconds of inactivity.
Description The current session was locked due to inactivity.
Example The session of user admin was closed after 60 seconds of inactivity.
Severity Warning
Facility local0
Closing a remote access session
Log text [JOB] <{connection name}|{config detail}> deleting CHILD_SA after {time sec-
ond} seconds of inactivity
Description The remote session was ended after a period of inactivity. (IPsec)
Example [JOB] <to_Baugruppe1|21> deleting CHILD_SA after 20 seconds of inactivity
Severity Info
Facility local0
Log text OVPN_{connection name}[{config detail}]: [{config detail}] Inactivity timeout (--
ping-
restart), restarting
Description The remote session was ended after a period of inactivity. (OpenVPN)
Example OVPN_c1[26296]: [router] Inactivity timeout (--ping-restart), restarting
Severity Info
Facility local0
Limiting the number of simultaneous sessions
Log text {protocol}: The maximum number of {max sessions} concurrent login session
exceeded.
Description The maximum number of parallel connections is exceeded.
Example WBM: The maximum number of 8 concurrent login session exceeded.
Severity Warning
Facility local0

Appendix A
A.3 Syslog messages
Non-deniability (change configuration)
Log text Device configuration changed.

Description The configuration has been changed permanently.
Example Device configuration changed.
Severity Info
Facility local0
Communication integrity
Log text [IKE] <{connection name}|{config detail}> received invalid DPD sequence num-
ber
{config detail} (expected {config detail}), ignored
Description Integrity check failed. (IPsec)
Example [IKE] <c1|1> received invalid DPD sequence number 10 (expected 12), ignored
Severity Info
Facility local0
Log text OVPN_{connection name}[{config detail}]: Authenticate/Decrypt packet error:

packet HMAC authentication failed
Description Integrity check failed (OpenVPN).
Example OVPN_c1[25409]: Authenticate/Decrypt packet error: packet HMAC authentica-
tion
failed
Severity Warning
Facility local0
Restoration of the automation system
Log text {protocol}: Loaded file type Firmware {version} (restart required).
Description Firmware update was successfully uploaded.
Example TFTP: Loaded file type Firmware V02.00.00 (restart required).
Severity Info
Facility local0

Appendix A
A.3 Syslog messages
Log text {protocol}: User {user name} loaded file type Firmware {version} (restart re-
quired).
Description Firmware update was successfully uploaded.
Example WBM: User admin loaded file type Firmware V02.00.00 (restart required).
Severity Info
Facility local0
Log text {protocol}: Failed to load file type Firmware.

Description Error loading the firmware update.
Example WBM: Failed to load file type Firmware.
Severity Warning
Facility local0
Log text {protocol}: Loaded file type Config (restart required).

Description The configuration is applied.
Example TFTP: Loaded file type Config (restart required).
Severity Info
Facility local0
Log text {protocol}: Loaded file type ConfigPack (restart required).

Example TFTP: Loaded file type ConfigPack (restart required).
Severity Info
Facility local0
Log text {protocol}: User {user name} loaded file type Config (restart required).
Example WBM: User admin loaded file type Config (restart required).
Severity Info
Facility local0

Appendix A
A.3 Syslog messages
Log text {protocol}: User {user name} loaded file type ConfigPack (restart required).
Example WBM: User admin loaded file type ConfigPack (restart required).
Severity Info
Facility local0

Appendix A
A.3 Syslog messages

Index
A E
Aging E-Mail function, 151
Dynamic MAC Aging, 231 Events, 151
Authentication, 163 Line monitoring, 151
Available system functions, 20 Error status, 99
B F
Basic Wizard Factory defaults, 317
Starting, 73 Factory setting, 317
Bridge, 109, 233 Fault monitoring
Bridge priority, 109, 233 Connection status change, 186
Root bridge, 109, 233 Forward Delay, 110, 234
Bridge Max Age, 110, 234
Bridge Max Hop Count, 110
button, 183 G
Geographic coordinates, 128
Glossary, 4
C
Groups, 269
CA certificate, 53
Certificates, 280
Configuration H
PPP, 221
Hardware Revision, 92
Configuration manuals, 317
Hello time, 110, 234
Configuration mode, 125
CoS (Class of Service), 38
C-PLUG, 25
I
Formatting, 190
Saving the configuration, 190 ICMP, 36
Information
ARP table, 93
D Groups, 121
Hardware, 91
DCP Discovery, 195
IPsec VPN, 105
DCP server, 123
LLDP, 102
Dead peer detection, 58
Log table, 94, 98
Device
OpenVPN client, 108
Basic Wizard, 76
Role, 120
System, 126
Security, 116, 119
Device certificate, 53
Security log, 96
DHCP
SINEMA RC, 106
Client, 201
SNMP, 101, 102
DST
Software, 91
Daylight saving time, 167, 169
Spanning tree, 111

Index
Start page, 85 NAT traversal, 57

Versions, 91 NTP
IP address Client, 175
Configuration, 245 Server, 181
IPsec method, 55
IPsec VPN
NETMAP, 50 O
Source NAT, 50
Order ID, 92
IPv4
VRRPv3, 65
IPv4 routing
P
Routing table, 103
Password, 264, 271
Ping, 194
K PLUG, 192, 192
C-PLUG, (C-PLUG)
KEY-PLUG, 25, 192, 192
point-to-point, 64
Formatting, 190
Port
Port configuration, 216
PPP
L
Configuration, 221
Layer 2, 224 Overview, 220
Layer 3, 192, 192
Line monitoring, 151
LLDP, 102, 239 Q
Location, 128
QoS Trust, 38
Log table
Event log, 94
Firewall log, 98
R
Security log, 96
Logout RADIUS, 274
Automatic, 182 Redundant networks, 109, 233
Requirement
Power supply, 18
M Reset, 130
RESET button, 183
Maintenance data, 92
Reset device, 317, 317
Manufacturer, 92
Restart, 130
Manufacturer ID, 92
Restore Factory Defaults, 317
Roles, 268
Root Max Age, 110, 234
N
Routing, 241
NAPT ICMP, 36
Configuring, 248 IPv4 routing table, 103
NAT Static routes, 241
1-to-1 NAT, 253 RSTP, 232
Configuring, 247
Masquerading, 49
NAPT, 49 S
NAT traversal, 57
Security settings, 159
NETMAP, 50
SELECT/SET button, 183
Source NAT, 50
Serial number, 92

Index
Server certificate, 53 TFTP

Service & Support, 4 Load/save, 137
SFTP Time
Load/save, 141 Time zone, 178
SHA algorithm, 160 UTC time, 178
SIMATIC NET glossary, 4 Time of day
SIMATIC NET manual, 4 Manual setting, 78, 165
SMTP NTP Client, 79
Client, 123 SIMATIC Time Client, 179
SNAT SNTP (Simple Network Time Protocol), 172
Configuring, 250 System time, 78, 165
SNMP, 40, 124, 155, 159 Time zone, 174
Groups, 159 Time-of-day synchronization, 172
Overview, 101 UTC time, 174
SNMPv1, 40 Time setting, 124
SNMPv2c, 40 Training, 4
SNMPv3, 40
Trap, 158
Users, 162 U
Software version, 92
User groups, 269
Source NAT
Masquerading, 49
Spanning tree, 232
V
Information, 111
Spanning Tree VLAN, 37
Rapid Spanning Tree, 64 Port VID, 230
SSH Priority, 229
Server, 122 Tag, 229
Standard mode, 54 VLAN ID, 39
Start page, 85 VLAN tag, 38
Stateful Inspection Firewall, 45 VPN connection
Subnet Status, 105
Configuration, 245 Status OpenVPN client, 108
Overview, 243 VRRP
Subnet mask, 33 VRRP addresses overview (IPv4), 260
Syslog, 184 VRRPv3 Addresses Configuration (IPv4), 261
Client, 123 VRRPv3 Configuration (IPv4), 258
System VRRPv3 routers (IPv4), 255
Configuration, 122 VRRPv3
Device, 126 Backup router, 65
General information, 126 Interface Tracking, 262
Load and Save via HTTP, 134 Master router, 65
System event log Virtual router, 65
Agent, 184 VRRPv3 router, 65
System events VRRPv3 Statistics, 114
Configuration, 146
Severity filter, 150
W
Web Based Management, 67
T
Requirement, 67
Telnet
Server, 122

Index


PH Scalance-S615-Wbm 76 PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

PH Scalance-S615-Wbm 76 PDF

Hochgeladen von

Copyright:

Verfügbare Formate

___________________

Siemens AG Document order number: C79000-G8976-C388 Copyright © Siemens AG 2015 - 2019.

Scope of the manual

Purpose of the Configuration Manual

Orientation in the documentation

SCALANCE S615 Web Based Management

SIMATIC NET manuals

Training, Service & Support

SIMATIC NET glossary

SCALANCE S615 Web Based Management

SCALANCE S615 Web Based Management

SCALANCE S615 Web Based Management

SCALANCE S615 Web Based Management

4.1 Web Based Management ...................................................................................................... 67

SCALANCE S615 Web Based Management

4.5.5.2 Severity Filters ......................................................................................................................149

SCALANCE S615 Web Based Management

4.7.3 Dynamic MAC Aging ............................................................................................................ 231

SCALANCE S615 Web Based Management

4.9.7.2 Connections ..........................................................................................................................305

SCALANCE S615 Web Based Management

SCALANCE S615 Web Based Management

SCALANCE S615 Web Based Management

Monitoring / diagnostics / maintenance

SCALANCE S615 Web Based Management

1.2 Configuration examples

1.2.1 TeleControl with SINEMA RC

SCALANCE S615 Web Based Management

SCALANCE S615 Web Based Management

1.2.2 Secure access with S615

Secure remote access and network segmentation with SCALANCE S615

SCALANCE S615 Web Based Management

1.3 Requirements for operation

Default values set in the factory

SCALANCE S615 Web Based Management

1.3.1 Use in a PROFINET environment

SCALANCE S615 Web Based Management

1.4 System functions

Availability of the system functions

SCALANCE S615 Web Based Management

SCALANCE S615 Web Based Management

1.5 Configuration limits for WBM and CLI

Configuration limits of the device

Configurable function Maximum number

SCALANCE S615 Web Based Management

Configurable function Maximum number

SCALANCE S615 Web Based Management

1.6 Configuration limits for SINEMA RC

SCALANCE S615 Web Based Management

1.7.1 C-PLUG and KEY-PLUG

SCALANCE S615 Web Based Management

License information on the KEY-PLUG

Type Properties Article number

1.7.2 PRESET PLUG

PLUG with preset function (PRESET-PLUG)

In a PLUG that was configured as a PRESET-PLUG, the device configuration, user

SCALANCE S615 Web Based Management

Software (security functions)

SCALANCE S615 Web Based Management

Keys and certificates

SCALANCE S615 Web Based Management

SCALANCE S615 Web Based Management

● To prevent unauthorized access to the device or network, take suitable protective